Malware Analysis Report

2025-06-15 23:32

Sample ID 241109-xxcegssrgl
Target BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe
SHA256 a56fd8aa5ffdaddaf58e4fbe8cbb2359fd11f2a93f34d9d0df610baf96972207
Tags
discovery evasion persistence privilege_escalation
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

a56fd8aa5ffdaddaf58e4fbe8cbb2359fd11f2a93f34d9d0df610baf96972207

Threat Level: Shows suspicious behavior

The file BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence privilege_escalation

Downloads MZ/PE file

Modifies Windows Firewall

Adds Run key to start application

Checks computer location settings

Drops file in System32 directory

Enumerates processes with tasklist

Checks installed software on the system

Drops file in Program Files directory

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: RenamesItself

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:13

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 19:13

Reported

2024-11-09 19:16

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\electron.app.BlueStacks Services = "C:\\Users\\Admin\\AppData\\Local\\Programs\\bluestacks-services\\BlueStacksServices.exe --hidden" C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\storage.json C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
File opened for modification C:\Windows\system32\storage.json C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\BlueStacks X\image\radioButton C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\language\de.qm C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\plugins\access\libaccess_imem_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\plugins\audio_filter\libequalizer_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\plugins\codec\libfluidsynth_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\api-ms-win-core-processthreads-l1-1-1.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\image\CloudGame\TitlebarRefresh.svg C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\image\email.svg C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\image\HvDialog_Tips.svg C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\image\Search\Promotes_Title.svg C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\image\TypeIndicator\CloudGame_hover.svg C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\image\TypeIndicator\Marketplace.svg C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\api-ms-win-core-file-l1-2-0.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\api-ms-win-crt-convert-l1-1-0.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\plugins\video_chroma\libi420_yuy2_sse2_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\plugins\video_chroma\libyuy2_i422_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\fa.pak C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\fr.pak C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\sw.pak C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\api-ms-win-crt-heap-l1-1-0.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\plugins\aws\aws-cpp-sdk-s3.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\plugins\misc\libfingerprinter_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\plugins\mux\libmux_ps_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\Qt5QmlModels.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\ucrtbase.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\image\account\discord.svg C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\image\MIM.ico C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\image\Tutorial\PremiumGames\Icon_title.svg C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\language\ja.qm C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\plugins\codec\libschroedinger_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\xplugins\StrategyPlugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\image\account\Choose_img1.png C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\api-ms-win-crt-runtime-l1-1-0.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\plugins\services_discovery\libwindrive_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\image\CloudGame\TitlebarMinimize.svg C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\language\en.qm C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\mediaservice\qtmedia_audioengine.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\plugins\audio_output\libafile_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\plugins\codec\libaraw_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\UIControl.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\position\qtposition_winrt.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\image\Gallery\close_normal.svg C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\image\radioButton\selected_hover.svg C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\image\TypeIndicator\CloudGame.svg C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\kn.pak C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\api-ms-win-crt-filesystem-l1-1-0.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\api-ms-win-crt-multibyte-l1-1-0.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\plugins\video_filter\libsepia_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\image\account\icon_ photoicon_camera.svg C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\plugins\video_filter\libfreeze_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\plugins\video_output\libcaca_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\iconengines C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\image\Gallery\next_disabled.svg C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\image\nowgg_logo.png C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\resources\qtwebengine_devtools_resources.pak C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\libvlc.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\plugins\access\libhttp_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\plugins\audio_filter\libugly_resampler_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\ko.pak C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\translations\qt_nl.qm C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\7z.exe C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\plugins\mux\libmux_dummy_plugin.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File opened for modification C:\Program Files (x86)\BlueStacks X\config C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
File created C:\Program Files (x86)\BlueStacks X\imageformats\qjpeg.dll C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\HD-CheckCpu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\HD-CheckCpu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\BlueStacksServicesSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\bstsrvs\shell\open C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\ = "URL:BlueStacksX Protocol Handler" C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\URL Protocol C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\ C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\DefaultIcon C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\open C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\bstsrvs\URL Protocol C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\bstsrvs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\bluestacks-services\\BlueStacksServices.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\bstsrvs C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\bstsrvs\ = "URL:bstsrvs" C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\bstsrvs\shell\open\command C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\open\command\ = "\"C:\\Program Files (x86)\\BlueStacks X\\BlueStacks X.exe\" -open \"%1\"" C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\bstsrvs\shell C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\DefaultIcon\ = "C:\\Program Files (x86)\\BlueStacks X\\BlueStacks X.exe,0" C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\open\ C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\open\command C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\BlueStacksInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\BlueStacksInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\BlueStacksInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\BlueStacksInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\BlueStacksInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\BlueStacksInstaller.exe N/A
N/A N/A C:\ProgramData\BlueStacksServicesSetup.exe N/A
N/A N/A C:\ProgramData\BlueStacksServicesSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\BlueStacksInstaller.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\BlueStacksServicesSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5028 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe
PID 5028 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe
PID 2120 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\HD-CheckCpu.exe
PID 2120 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\HD-CheckCpu.exe
PID 2120 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\HD-CheckCpu.exe
PID 2120 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\HD-CheckCpu.exe
PID 2120 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\HD-CheckCpu.exe
PID 2120 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\HD-CheckCpu.exe
PID 2120 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe
PID 2120 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe
PID 2120 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe
PID 2628 wrote to memory of 6412 N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe C:\Windows\SysWOW64\WScript.exe
PID 2628 wrote to memory of 6412 N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe C:\Windows\SysWOW64\WScript.exe
PID 2628 wrote to memory of 6412 N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe C:\Windows\SysWOW64\WScript.exe
PID 6412 wrote to memory of 6488 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 6412 wrote to memory of 6488 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 6412 wrote to memory of 6488 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 6488 wrote to memory of 6572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 6488 wrote to memory of 6572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 6488 wrote to memory of 6572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 6488 wrote to memory of 6648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 6488 wrote to memory of 6648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 6488 wrote to memory of 6648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 6488 wrote to memory of 6720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 6488 wrote to memory of 6720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 6488 wrote to memory of 6720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 6488 wrote to memory of 6784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 6488 wrote to memory of 6784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 6488 wrote to memory of 6784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2120 wrote to memory of 6956 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe
PID 2120 wrote to memory of 6956 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe
PID 2120 wrote to memory of 6956 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe
PID 6956 wrote to memory of 7404 N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\BlueStacksInstaller.exe
PID 6956 wrote to memory of 7404 N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\BlueStacksInstaller.exe
PID 7404 wrote to memory of 7524 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\HD-CheckCpu.exe
PID 7404 wrote to memory of 7524 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\HD-CheckCpu.exe
PID 7404 wrote to memory of 7524 N/A C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\HD-CheckCpu.exe
PID 7612 wrote to memory of 7704 N/A C:\ProgramData\BlueStacksServicesSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 7612 wrote to memory of 7704 N/A C:\ProgramData\BlueStacksServicesSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 7612 wrote to memory of 7704 N/A C:\ProgramData\BlueStacksServicesSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 7704 wrote to memory of 7756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 7704 wrote to memory of 7756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 7704 wrote to memory of 7756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 7704 wrote to memory of 7764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 7704 wrote to memory of 7764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 7704 wrote to memory of 7764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
PID 5760 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe

"C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\HD-CheckCpu.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\HD-CheckCpu.exe" --cmd checkHypervEnabled

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\HD-CheckCpu.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\HD-CheckCpu.exe" --cmd checkSSE4

C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe

"C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.600.1019_nxt.exe" -s

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\BlueStacks X\green.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c green.bat

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name="BlueStacksWeb"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall delete rule name="Cloud Game"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="BlueStacksWeb" dir=in action=allow program="C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Cloud Game" dir=in action=allow program="C:\Program Files (x86)\BlueStacks X\Cloud Game.exe"

C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe

"C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe" -versionMachineID=6b110b44-8474-4776-8873-6ac16999d922 -machineID=fe173be2-e75e-401d-b1fb-ded775d6e875 -pddir="C:\ProgramData\BlueStacks_nxt" -defaultImageName=Nougat32 -imageToLaunch=Nougat32 -isSSE4Available=1 -appToLaunch=bs5 -bsxVersion=10.41.600.1015 -country=GB -isWalletFeatureEnabled

C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\BlueStacksInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\BlueStacksInstaller.exe" -versionMachineID=6b110b44-8474-4776-8873-6ac16999d922 -machineID=fe173be2-e75e-401d-b1fb-ded775d6e875 -pddir="C:\ProgramData\BlueStacks_nxt" -defaultImageName=Nougat32 -imageToLaunch=Nougat32 -isSSE4Available=1 -appToLaunch=bs5 -bsxVersion=10.41.600.1015 -country=GB -isWalletFeatureEnabled

C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\HD-CheckCpu.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\HD-CheckCpu.exe" --cmd checkHypervEnabled

C:\ProgramData\BlueStacksServicesSetup.exe

"C:\ProgramData\BlueStacksServicesSetup.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq BlueStacksServices.exe" | find "BlueStacksServices.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq BlueStacksServices.exe"

C:\Windows\SysWOW64\find.exe

find "BlueStacksServices.exe"

C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe

"C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --hidden --initialLaunch

C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe

"C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1736,i,316497326302899999,948044775098825017,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\cscript.exe

cscript.exe

C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe

"C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --mojo-platform-channel-handle=1780 --field-trial-handle=1736,i,316497326302899999,948044775098825017,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cscript.exe

cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKCU\SOFTWARE\BlueStacksServices

C:\Windows\system32\cscript.exe

cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKCU\SOFTWARE\BlueStacksServices

C:\Windows\system32\cscript.exe

cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regPutValue.wsf A

C:\Windows\system32\cscript.exe

cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regPutValue.wsf A

C:\Windows\system32\cscript.exe

cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"

C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe

"C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --app-user-model-id=com.bluestacks.services --app-path="C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2700 --field-trial-handle=1736,i,316497326302899999,948044775098825017,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""

C:\Windows\system32\cscript.exe

cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"

C:\Windows\system32\cscript.exe

cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"

C:\Windows\system32\cscript.exe

cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq BlueStacks X.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq HD-Player.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""

C:\Windows\system32\cscript.exe

cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt

C:\Windows\system32\cscript.exe

cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq BlueStacks X.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq HD-Player.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq BlueStacks X.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq HD-Player.exe"

C:\Windows\system32\cscript.exe

cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"

C:\Windows\system32\cscript.exe

cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt

C:\Windows\system32\cscript.exe

cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"

C:\Windows\system32\cscript.exe

cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq HD-Player.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq BlueStacks X.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq HD-Player.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq BlueStacks X.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq BlueStacks X.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq HD-Player.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq BlueStacks X.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq HD-Player.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq HD-Player.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq BlueStacks X.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cloud.bluestacks.com udp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 8.8.8.8:53 181.86.160.34.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 cdn-bgp.bluestacks.com udp
GB 2.19.117.102:443 cdn-bgp.bluestacks.com tcp
US 8.8.8.8:53 102.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 ak-build.bluestacks.com udp
GB 2.19.117.88:443 ak-build.bluestacks.com tcp
US 8.8.8.8:53 88.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 34.160.86.181:443 cloud.bluestacks.com tcp
N/A 127.0.0.1:59663 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:59672 tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
N/A 127.0.0.1:52546 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 wallet.now.gg udp
US 34.96.124.47:443 wallet.now.gg tcp
US 8.8.8.8:53 47.124.96.34.in-addr.arpa udp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 8.8.8.8:53 wallet.now.gg udp
US 8.8.8.8:53 wallet.now.gg udp
US 34.96.124.47:443 wallet.now.gg tcp
US 34.96.124.47:443 wallet.now.gg tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 fcmregistrations.googleapis.com udp
GB 142.250.180.10:443 fcmregistrations.googleapis.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
BE 142.250.110.188:5228 mtalk.google.com tcp
US 8.8.8.8:53 188.110.250.142.in-addr.arpa udp
US 8.8.8.8:443 dns.google udp
US 34.96.124.47:443 wallet.now.gg udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\Assets\change_hover.png

MD5 57092634754fc26e5515e3ed5ca7d461
SHA1 3ae4d01db9d6bba535f5292298502193dfc02710
SHA256 8e5847487da148ebb3ea029cc92165afd215cdc08f7122271e13eb37f94e6dc1
SHA512 553baf9967847292c8e9249dc3b1d55069f51c79f4d1d3832a0036e79691f433a3ce8296a68c774b5797caf7000037637ce61b8365885d2a4eed3ff0730e5e2a

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe

MD5 0d021ad9fc86a22215cd014b088f307e
SHA1 531e18244b9a43798562c1297c09ccc0239adb61
SHA256 c14eb1c61d737e195ce06cb84ba2b05925dcf36ac35c1078f260e423b1ad3485
SHA512 e5d977d5a3f5a5888e054521168a9ac22712892d5aea225a6f545e9be885deef1983fbcd963927367b2d7439c18b2e6c71a6b143a924a41f5acabc76e0a6e993

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\BlueStacksInstaller.exe.config

MD5 1b456d88546e29f4f007cd0bf1025703
SHA1 e5c444fcfe5baf2ef71c1813afc3f2c1100cab86
SHA256 d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb
SHA512 c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

memory/2120-125-0x00007FF91CDF3000-0x00007FF91CDF5000-memory.dmp

memory/2120-126-0x0000000000360000-0x0000000000400000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\JSON.dll

MD5 f5fd966e29f5c359f78cb61a571d1be4
SHA1 a55e7ed593b4bc7a77586da0f1223cfd9d51a233
SHA256 d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156
SHA512 d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

memory/2120-128-0x000000001C6E0000-0x000000001C748000-memory.dmp

memory/2120-129-0x00007FF91CDF0000-0x00007FF91D8B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\Locales\i18n.en-US.txt

MD5 a1e3293265a273080e68501ffdb9c2fc
SHA1 add264c4a560ce5803ca7b19263f8cd3ed6f68f0
SHA256 1cb847f640d0b2b363ce3c44872c4227656e8d2f1b4a5217603a62d802f0581f
SHA512 cb61083dc4d7d86f855a4cc3fe7c4938232a55188ad08b028a12445675fbff6188bb40638bd1ce4e6077f5bfc94449c145118c8f9b8929d4e9c47ed74cf7bece

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\HD-CheckCpu.exe

MD5 81234fd9895897b8d1f5e6772a1b38d0
SHA1 80b2fec4a85ed90c4db2f09b63bd8f37038db0d3
SHA256 2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c
SHA512 4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

memory/2120-134-0x00007FF91CDF0000-0x00007FF91D8B1000-memory.dmp

memory/2120-136-0x00007FF91CDF0000-0x00007FF91D8B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\Assets\loader.png

MD5 03903fd42ed2ee3cb014f0f3b410bcb4
SHA1 762a95240607fe8a304867a46bc2d677f494f5c2
SHA256 076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1
SHA512 8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

memory/2120-138-0x000000001DE70000-0x000000001E398000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\ThemeFile

MD5 c3e6bab4f92ee40b9453821136878993
SHA1 94493a6b3dfb3135e5775b7d3be227659856fbc4
SHA256 de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6
SHA512 a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895

memory/2120-140-0x000000001DDB0000-0x000000001DDE8000-memory.dmp

memory/2120-141-0x000000001DB40000-0x000000001DB4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\Assets\installer_minimize.png

MD5 38b539a1e4229738e5c196eedb4eb225
SHA1 f027b08dce77c47aaed75a28a2fce218ff8c936c
SHA256 a064f417e3c2b8f3121a14bbded268b2cdf635706880b7006f931de31476bbc2
SHA512 2ce433689a94fae454ef65e0e9ec33657b89718bbb5a038bf32950f6d68722803922f3a427278bad432395a1716523e589463fcce4279dc2a895fd77434821cc

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\Assets\close_red.png

MD5 93216b2f9d66d423b3e1311c0573332d
SHA1 5efaebec5f20f91f164f80d1e36f98c9ddaff805
SHA256 d0b6d143642d356b40c47459a996131a344cade6bb86158f1b74693426b09bfb
SHA512 922a7292de627c5e637818556d25d9842a88e89f2b198885835925679500dfd44a1e25ce79e521e63c4f84a6b0bd6bf98e46143ad8cee80ecdbaf3d3bc0f3a32

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\Assets\installer_logo.png

MD5 e33432b5d6dafb8b58f161cf38b8f177
SHA1 d7f520887ce1bfa0a1abd49c5a7b215c24cbbf6a
SHA256 9f3104493216c1fa114ff935d23e3e41c7c3511792a30b10a40b507936c0d183
SHA512 520dc99f3176117ebc28da5ef5439b132486ef67d02fa17f28b7eab0c59db0fa99566e44c0ca7bb75c9e7bd5244e4a23d87611a55c841c6f9c9776e457fb1cbf

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\Assets\setpath.png

MD5 b2e7f40179744c74fded932e829cb12a
SHA1 a0059ab8158a497d2cf583a292b13f87326ec3f0
SHA256 5bbb2f41f9f3a805986c3c88a639bcc22d90067d4b8de9f1e21e3cf9e5c1766b
SHA512 b95b7ebdb4a74639276eaa5c055fd8d9431e2f58a5f7c57303f7cf22e8b599f6f2a7852074cf71b19b49eb31cc9bf2509aedf41d608981d116e49a00030c797c

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\Assets\custom.png

MD5 03b17f0b1c067826b0fcc6746cced2cb
SHA1 e07e4434e10df4d6c81b55fceb6eca2281362477
SHA256 fbece8bb5f4dfa55dcfbf41151b10608af807b9477e99acf0940954a11e68f7b
SHA512 67c78ec01e20e9c8d9cdbba665bb2fd2bb150356f30b88d3d400bbdb0ae92010f5d7bcb683dcf6f895722a9151d8e669d8bef913eb6e728ba56bb02f264573b2

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\Assets\backicon.png

MD5 7ff5dc8270b5fa7ef6c4a1420bd67a7f
SHA1 b224300372feaa97d882ca2552b227c0f2ef4e3e
SHA256 fa64884054171515e97b78aaa1aad1ec5baa9d1daf9c682e0b3fb4a41a9cb1c1
SHA512 f0d5a842a01b99f189f3d46ab59d2c388a974951b042b25bbce54a15f5a3f386984d19cfca22ba1440eebd79260066a37dfeff6cb0d1332fca136add14488eef

memory/2120-150-0x0000000021740000-0x0000000021748000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4A3DDAA7\Assets\installer_bg.jpg

MD5 3478e24ba1dd52c80a0ff0d43828b6b5
SHA1 b5b13bbf3fb645efb81d3562296599e76a2abac0
SHA256 4c7471c986e16de0cd451be27d4b3171e595fe2916b4b3bf7ca52df6ec368904
SHA512 5c8c9cc76d6dbc7ce482d0d1b6c2f3d48a7a510cd9ed01c191328763e1bccb56daeb3d18c33a9b10ac7c9780127007aa13799fa82d838de27fbe0a02ad98119d

memory/2120-154-0x00007FF91CDF3000-0x00007FF91CDF5000-memory.dmp

memory/2120-155-0x00007FF91CDF0000-0x00007FF91D8B1000-memory.dmp

memory/2120-156-0x00007FF91CDF0000-0x00007FF91D8B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsv1EFE.tmp\nsDui.dll

MD5 11b5dc4c5f5c61593479b90e588903e7
SHA1 18af8549ace57f3d59afa251887a4dc8a4001bbb
SHA256 8580d6533654e42473fb6f4b5aedf1add6875ed3f84d1e44d7741fef38628aa0
SHA512 65b96f113b727dd3f563dbb8fc182896540ab94cae166a145c752791d9f5cd358c8e98e694de5bb8bc6a077941421353bde711456d4ee9b2ba7dda543b04b8c6

C:\Users\Admin\AppData\Local\Temp\nsv1EFE.tmp\BgWorker.dll

MD5 36c81676ada53ceb99e06693108d8cce
SHA1 d31fa4aebd584238b3edc4768dd5414494610889
SHA256 a9e4f7ec65670d2ce375ffaf09b6d07f4cd531132ca002452287a4d540154a38
SHA512 1300de7b3e1ac9e706e0aad0b70e3e2a21db8c860e05b314a52e63dd66b5dffdf6be1e38ab6ede13bfd3a64631cc909486bf4b1403e7d821e3b566edc514c63c

C:\Users\Admin\AppData\Local\Temp\nsv1EFE.tmp\nsDialogs.dll

MD5 f7b92b78f1a00a872c8a38f40afa7d65
SHA1 872522498f69ad49270190c74cf3af28862057f2
SHA256 2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e
SHA512 3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

C:\Users\Admin\AppData\Local\Temp\nsv1EFE.tmp\nsis7z.dll

MD5 95f6f6ab9509bc366ab9215defe4251a
SHA1 e3f4a6effd6ca5838cfe91a01967cb72edcc7b0b
SHA256 a896a9ece055d334d431cd0f856113ab925d9ee86d2dee383c0bfbbef11a5b50
SHA512 a853f70d2ea7f384df99be067724bf3ca73c63f3c3573c112f5528fc86a96bd34509d934b038e2a81833f3abb3eedbc5894921291139100e01df6e35696c0ecc

C:\Users\Admin\AppData\Local\Temp\nsv1EFE.tmp\System.dll

MD5 959ea64598b9a3e494c00e8fa793be7e
SHA1 40f284a3b92c2f04b1038def79579d4b3d066ee0
SHA256 03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
SHA512 5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_pressed.svg

MD5 dfddf8d0788988c3e48fcbfb2a76cd20
SHA1 463bb61f0012289e860c32f1885a3a8f57467f2e
SHA256 9585f41eb6202e89f2087266fa31852d7f41ca8cc659b907c96753fe165f937d
SHA512 e708c5114c60f7574589d6a56c9faedda26ee4a40f0eeb25f5e12eadcf790f24fdbf393fa0aa6ad449b5337d625b092d6f8822472fa8a6ce1339aca59c50c3ca

C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_normal.svg

MD5 3221ac69d7facd8aa90ffa15aea991b0
SHA1 e0571f30f4708ec78addc726a743679ca0f05e45
SHA256 92aeae68e9e0973d9e0dc575941f1cb2e24afd0574341a46b870be7384eaa537
SHA512 5e2de0abfe60a4db16ea5e8739260c19962fbfc60869a77bde6ab3547ad8ee3ad88e74e97da31fa23be096afddad018e431d152d6d0fa21a75357a11dacb1328

C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_hover.svg

MD5 76166804e6ce35e8a0c92917b8abc071
SHA1 8bd38726a11a9633ac937b9c6f205ce5d36348b0
SHA256 1bca2e912184b8168ee8961de68d1d839f4f9827fde6f48ab100fb61e82eff90
SHA512 93c4f1af7e9f89091a207ab308e05ddd4c92406c039f7465d3b8aca7e0cc7a6c922a22e1eee2f5c88db5e89016ef69294b2a0905d7d6a90fd32835bc11929005

C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_disabled.svg

MD5 e7fdf6a9c8cae1fc1108dc5a803a1905
SHA1 2853f9ff5e63685ebb1449dcf693176b17e4ab60
SHA256 8ee5aa84139b2ea5549f7272523aeb203d73954c5ccdcf6f7407bf1a3469f13e
SHA512 a6388b24926934e20ccf7fcab41bd219dc6c0053428481d7f466bf89f26bf1a36fdff716a9ddd9ab268df73b04dff1449c6bac1f5c707e31ae2ee71c2087e0d9

C:\Program Files (x86)\BlueStacks X\BlueStacks X.exe

MD5 39ed2ccd44b675779a3c52d770959590
SHA1 edcec83de7a2c152ce07e444ddcd2382deca6e33
SHA256 03d75c338a4ae5c94bba108783a41fff403a91bb08fbe6d9c82856b092e72f35
SHA512 9fd7843c944a5e642a4136823664a7e981305baa7e6ca7d2646a8a8669aa62b41203e3e9babb4c789e80bccd888e6041cba13b047c9904d3a21d037221cd2cc8

C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\Assets\minimize_progress.png

MD5 1504b80f2a6f2d3fefc305da54a2a6c2
SHA1 432a9d89ebc2f693836d3c2f0743ea5d2077848d
SHA256 2f62d4e8c643051093f907058dddc78cc525147d9c4f4a0d78b4d0e5c90979f6
SHA512 675db04baf3199c8d94af30a1f1c252830a56a90f633c3a72aa9841738b04242902a5e7c56dd792626338e8b7eabc1f359514bb3a2e62bc36c16919e196cfd94

C:\Users\Admin\AppData\Local\Temp\7zSC2B3B979\Assets\exit_close.png

MD5 26eb04b9e0105a7b121ea9c6601bbf2a
SHA1 efc08370d90c8173df8d8c4b122d2bb64c07ccd8
SHA256 7aaef329ba9fa052791d1a09f127551289641ea743baba171de55faa30ec1157
SHA512 9df3c723314d11a6b4ce0577eb61488061f2f96a9746a944eb6a4ee8c0c4d29131231a1b20988ef5454b79f9475b43d62c710839ecc0a9c98324f977cab6db68

memory/5028-9553-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso33B9.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

memory/2120-9756-0x00007FF91CDF0000-0x00007FF91D8B1000-memory.dmp

memory/5028-9799-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso33B9.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

C:\Users\Admin\AppData\Local\Temp\nso33B9.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nso33B9.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

C:\Users\Admin\AppData\Local\Temp\nso33B9.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nso33B9.tmp\Registry.dll

MD5 2b7007ed0262ca02ef69d8990815cbeb
SHA1 2eabe4f755213666dbbbde024a5235ddde02b47f
SHA256 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
SHA512 aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

memory/8608-10056-0x00007FF93A390000-0x00007FF93A391000-memory.dmp

memory/8608-10055-0x00007FF939B50000-0x00007FF939B51000-memory.dmp

C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json

MD5 51b8737d49c01c3041402fdda00aec3d
SHA1 8c1616efad46c8b95900533cbac5167476da8ba8
SHA256 89f4cfb46bbd6b14c21e77d4608db9560f8a5853d2fecd63a8d9b7f58cb9c6bb
SHA512 305d03734bd5df29e6cd6ab23c7462e1e8bbaf3721dead0417012442923a28ef4349c33454ed0e94d30d6b80898d4ee7ad2bb46c516bc165d81b673431182b9e

C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json.tmp-11797328545a284e

MD5 eac1e45ec32239cb6daefd5b2c432a83
SHA1 405efd5ad2fdc7334c912aeae2a3fbade79144ed
SHA256 b44159321b7c4ce1abb7b1d9e46e969a7b64a48e37def4b05f0d9d502e208034
SHA512 521b1666295d731f19f45acca185d444e8234961d6bb360e355f8b5bebd94e09b5a7059ea93af6cfbaf9930a771e86903fad86425497ef86adb565b6c6685ebf

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json

MD5 ec12bd498ab4d286db0ea55b9dae4ba2
SHA1 f3a228c7bc0fc7172352db1cc148ea97747e1320
SHA256 532cd180359234cc0ff8b2f9c297683db647b8af1f2828fa7534c8d934d21734
SHA512 a839841da0d56cb7c5948c528ab46ba14d0d9bf57415230f81e105a6bd30707eb894f80201f1e7dba32a73372eb63bcb42bf1030712268bc231fe870490e88ca

C:\Windows\System32\storage.json

MD5 75d803935059785011954267bdb0814c
SHA1 2e7c964d7f6d9abae2aee4bcfc2c3a64f9fb4b38
SHA256 1245552f1e44239aa0dfdc7aa0af24ac1e588d66abaee3ad10ddcb82a229f2ef
SHA512 6bd607670a9f1702c193f672802678e790bbf3fa385043c08f5eeea7ea7598ee20cc8660f36711e1ecce7c29090b505a938b5b4ab23d1bddad7d94f2c22f39e7

C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json

MD5 5deaa05a55e71b8482ec6623bf8d3a4f
SHA1 df49273aa0428cbb998f5ee442b6360b7d9c4b97
SHA256 4d933442260bd35d7e96c4c1a18409b586d55fb396b6b6acdb2af3751ce48774
SHA512 cb46fbe92a8f0b6611fc3ade7394bab8777c0e727ee7e7d69734325b77ec801f9fb555ac45493b1bb08ed0dd12b1c61d1c3b29f760d3e79a469694cbb1dad8c1

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:13

Reported

2024-11-09 19:16

Platform

win7-20240708-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe"

Signatures

Downloads MZ/PE file

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_37af3e2585987908aa6f7b6cf80f61e7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FEB3CAB1-9ECE-11EF-AC2A-E6BAD4272658} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280 C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e26200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS428021E6\BlueStacksInstaller.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe
PID 2432 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe
PID 2432 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe
PID 2432 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe
PID 984 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\HD-CheckCpu.exe
PID 984 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\HD-CheckCpu.exe
PID 984 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\HD-CheckCpu.exe
PID 984 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\HD-CheckCpu.exe
PID 984 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_37af3e2585987908aa6f7b6cf80f61e7.exe
PID 984 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_37af3e2585987908aa6f7b6cf80f61e7.exe
PID 984 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_37af3e2585987908aa6f7b6cf80f61e7.exe
PID 984 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_37af3e2585987908aa6f7b6cf80f61e7.exe
PID 984 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_37af3e2585987908aa6f7b6cf80f61e7.exe
PID 984 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_37af3e2585987908aa6f7b6cf80f61e7.exe
PID 984 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_37af3e2585987908aa6f7b6cf80f61e7.exe
PID 2084 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_37af3e2585987908aa6f7b6cf80f61e7.exe C:\Users\Admin\AppData\Local\Temp\7zS428021E6\BlueStacksInstaller.exe
PID 2084 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_37af3e2585987908aa6f7b6cf80f61e7.exe C:\Users\Admin\AppData\Local\Temp\7zS428021E6\BlueStacksInstaller.exe
PID 2084 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_37af3e2585987908aa6f7b6cf80f61e7.exe C:\Users\Admin\AppData\Local\Temp\7zS428021E6\BlueStacksInstaller.exe
PID 2084 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_37af3e2585987908aa6f7b6cf80f61e7.exe C:\Users\Admin\AppData\Local\Temp\7zS428021E6\BlueStacksInstaller.exe
PID 2756 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS428021E6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS428021E6\HD-CheckCpu.exe
PID 2756 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS428021E6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS428021E6\HD-CheckCpu.exe
PID 2756 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS428021E6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS428021E6\HD-CheckCpu.exe
PID 2756 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\7zS428021E6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS428021E6\HD-CheckCpu.exe
PID 2756 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zS428021E6\BlueStacksInstaller.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zS428021E6\BlueStacksInstaller.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zS428021E6\BlueStacksInstaller.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2620 wrote to memory of 2640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2620 wrote to memory of 2640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2620 wrote to memory of 2640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2620 wrote to memory of 2640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe

"C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_37af3e2585987908aa6f7b6cf80f61e7_MDs1LDM7MTUsMTsxNSw0OzE1LA==.exe"

C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\HD-CheckCpu.exe

"C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\HD-CheckCpu.exe" --cmd checkHypervEnabled

C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_37af3e2585987908aa6f7b6cf80f61e7.exe

"C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_37af3e2585987908aa6f7b6cf80f61e7.exe"

C:\Users\Admin\AppData\Local\Temp\7zS428021E6\BlueStacksInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\7zS428021E6\BlueStacksInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\7zS428021E6\HD-CheckCpu.exe

"C:\Users\Admin\AppData\Local\Temp\7zS428021E6\HD-CheckCpu.exe" --cmd checkHypervEnabled

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://cloud.bluestacks.com/bs3/help_articles?article=RawMode_help_Win7&oem=nxt&locale=en-US&image_name=Nougat32

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 cloud.bluestacks.com udp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 8.8.8.8:53 delegate.bluestacks.com udp
US 18.233.114.124:443 delegate.bluestacks.com tcp
US 18.233.114.124:443 delegate.bluestacks.com tcp
US 8.8.8.8:53 crt.rootg2.amazontrust.com udp
NL 18.239.83.98:80 crt.rootg2.amazontrust.com tcp
NL 18.239.83.98:80 crt.rootg2.amazontrust.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 8.8.8.8:53 ak-build.bluestacks.com udp
GB 2.19.117.88:443 ak-build.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 8.8.8.8:53 delegate.bluestacks.com udp
US 18.233.114.124:443 delegate.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 18.233.114.124:443 delegate.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\Assets\change_hover.png

MD5 57092634754fc26e5515e3ed5ca7d461
SHA1 3ae4d01db9d6bba535f5292298502193dfc02710
SHA256 8e5847487da148ebb3ea029cc92165afd215cdc08f7122271e13eb37f94e6dc1
SHA512 553baf9967847292c8e9249dc3b1d55069f51c79f4d1d3832a0036e79691f433a3ce8296a68c774b5797caf7000037637ce61b8365885d2a4eed3ff0730e5e2a

\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe

MD5 0d021ad9fc86a22215cd014b088f307e
SHA1 531e18244b9a43798562c1297c09ccc0239adb61
SHA256 c14eb1c61d737e195ce06cb84ba2b05925dcf36ac35c1078f260e423b1ad3485
SHA512 e5d977d5a3f5a5888e054521168a9ac22712892d5aea225a6f545e9be885deef1983fbcd963927367b2d7439c18b2e6c71a6b143a924a41f5acabc76e0a6e993

C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\BlueStacksInstaller.exe.config

MD5 1b456d88546e29f4f007cd0bf1025703
SHA1 e5c444fcfe5baf2ef71c1813afc3f2c1100cab86
SHA256 d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb
SHA512 c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

memory/984-127-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

memory/984-129-0x0000000000F80000-0x0000000001020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\JSON.dll

MD5 f5fd966e29f5c359f78cb61a571d1be4
SHA1 a55e7ed593b4bc7a77586da0f1223cfd9d51a233
SHA256 d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156
SHA512 d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

memory/984-131-0x0000000000CF0000-0x0000000000D58000-memory.dmp

memory/984-132-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9D0C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar9D2E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\Locales\i18n.en-US.txt

MD5 a1e3293265a273080e68501ffdb9c2fc
SHA1 add264c4a560ce5803ca7b19263f8cd3ed6f68f0
SHA256 1cb847f640d0b2b363ce3c44872c4227656e8d2f1b4a5217603a62d802f0581f
SHA512 cb61083dc4d7d86f855a4cc3fe7c4938232a55188ad08b028a12445675fbff6188bb40638bd1ce4e6077f5bfc94449c145118c8f9b8929d4e9c47ed74cf7bece

C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\HD-CheckCpu.exe

MD5 81234fd9895897b8d1f5e6772a1b38d0
SHA1 80b2fec4a85ed90c4db2f09b63bd8f37038db0d3
SHA256 2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c
SHA512 4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

memory/984-190-0x000000001A7A0000-0x000000001A7AA000-memory.dmp

memory/984-189-0x000000001A7A0000-0x000000001A7AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\Assets\loader.png

MD5 03903fd42ed2ee3cb014f0f3b410bcb4
SHA1 762a95240607fe8a304867a46bc2d677f494f5c2
SHA256 076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1
SHA512 8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\ThemeFile

MD5 c3e6bab4f92ee40b9453821136878993
SHA1 94493a6b3dfb3135e5775b7d3be227659856fbc4
SHA256 de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6
SHA512 a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c782295dc7c66293d72306469e950887
SHA1 acdaabe6f7faaf5510ea2c4f1a6b3450e89efc23
SHA256 aee6d0cb05abd314d07f6c48902ab5ed0fa08eabc12ce8fbdb733bc340d55110
SHA512 5ae1b7cfdb806c83f3a5eca7ce96f0e1ab86c127a02d8eceded0634b7090a1dff778ffcc1453ce5c6dc474d57e8ba45d221126392d7c986dbb3d025f5f39f4fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0ca0d7777c104c2db3fbc32b0d45113
SHA1 081e24f54360d7962bbc12307c9a1c5ea11d0cf0
SHA256 c8a2e633dea171d69934dcd893d84f91dc2b7f706feeea3320f10b4d1609c575
SHA512 2e07b0a953d6d08975f9146d26ed01a298864ffdc7a42fbba257f53eb262c12bbfd8b3cfdca73ac18fb0a9e4b1895b3803764b18d69ebac387ce7ca1ffb52452

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3b25c5ddcecb0223ae4e3db588a105c
SHA1 f375280ce850dced14534670da0b11895205dba2
SHA256 9be77fbe86f314f10ce255d291180a976722b14137d034d6a2559ca537346011
SHA512 42b72722bdfd6d63324da4e38dcba6957ed4ebd1a9087948f37ccf8db8e21a4caf5ad8d284c93ddc3fc47e0c5d719a5240659f804b7f5f86e8c085f8ad87851f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ecfe5b94d184e2b2b9325d229f6a183
SHA1 26d24b0420829faa95ee74e44f7e9bb41aa67e7d
SHA256 f5f5398a9958dd06af420d0a1a60dad3d1f6f96d5f44b1c6e6716e24b6658193
SHA512 e95dd9bab0cccfa8404f38da44f628833f1f56706f37bb78d59bdf16f3d074caa61c69883376298e115a79cf5ca52f2a6d418ffb7131a2184bbb1749ef49e4b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6fa0bd7ce03aaec67cfed5d30f3ae5a3
SHA1 4647c66f97eacae17e4bc9acd90370c550b4a110
SHA256 d513c49d6c3a05a04e6321e4c4a4274c00375c0a2f23421cc533919510db4361
SHA512 d27330bff08443f6588c464f00f709ec03c5fa713d0060c23572876fe871d8409f51d9d4537c902990cf1ae8827366daf6044a6c5e40b52a54875ead86ffe21b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef2fbe1be1c49112cf3b74362b6649f5
SHA1 a64b57bdebe0670afd78b37a0348bf8d320f9b87
SHA256 48ff1f1272274469d0644b093253ab784f163d1399662f5d598420a302c30e3a
SHA512 99da6b6263232c2509ce2436d014815fe580035758c989511788d1af68d82528364ed1ca625cdb4634dd2714b007b2d79ba639f3f917f4bc9bb4a8ca8016af8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbc2e0cd2b870c8efc4b4f14205cc745
SHA1 49ebf80953a00de7aca7c782a551875354e6d50c
SHA256 4b2f951836d1a16fb799b2473f896c3c39f731d71f1e7b996fd12ef4f84484ec
SHA512 20dcc15913f4a15f33b91d74dcb5c89a8091159db93f327c37bba772be6542a27edc65e67a4722dc5c160c7d0c7813174fddcc0541a1ae51f42876eb73907d8b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c89820be1946b9fec7d6cba15266757
SHA1 23da9c21ec38b2397b9ec5cdb1fbbebe6a4a1f4f
SHA256 98f1bbdfd60b6099abbe6df76d6795aaf433d49f86235db76fb3ba3cece668c2
SHA512 4204474613728ee7f75e385543f1f6edd5346eefa1878258c06910ab76dabf4ef0a2216d19e4a14f05d6fe2e10f8542ffff9c43ca200bc4d02bacf77e86b2a1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1caca5ec3ba4dfcfb7ef3a05b4c2218e
SHA1 1666bbeb1a20b71b2b791ff72b50df9b2f4e93b3
SHA256 880c666e4544086464caf4eacfd71d44640e41b1697e2ebe7b84f770f8cdd6cd
SHA512 dfc3867471c5fa5c1bfc2fc20bfefe9a857a1bcc15278e233f2cfeeb29333558f0155081de984a34efbbe9c20ca931e6a5b122254b18ebef1c822728b5f428ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 873317641e63da422af07a2a21993b65
SHA1 6bd60166e44ade6c33a8023571933dff057472b5
SHA256 4a38dc0a208ccf0fee7d2726688e937a74a66b6d4e1f6d5a39a8711a27df1e3e
SHA512 4d426da8a9fe0a5c84249cd9de4bd0441f1ee21dc40315b34748c53c540657cd7bff9bbb5ce0630c5c818759513e582520669534338224bada351f9be767e99e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f04d3d52b8209d82dd6575899145417d
SHA1 71fd8dd64c5864000d55e28ecc8253d2b330044b
SHA256 b152bad6a588442cf2fe7f3bd81000364a3cabab30910a6a5726c9d7fb2b0103
SHA512 7977891f48e832040377046d0f8160fffa00ae8a61a69bd70a95327adc3270ca2ef36a177a45ff131cdf32fdb1c2561fea163ef22e6ca99f2468443de28e9565

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5646555ecf2aad4e1058e6625c9cf92
SHA1 94a06f14d98ec7e9f09ebeac6722f72eb1b912af
SHA256 d7deffa473c198399de342d6166bf7c4d69190385c97c95bb3ebdf406eac9b18
SHA512 4fdf3d71ff99796a9914717bd0d85a9aeae0a7a048ad6c73d1f39f181ab5dc373b35841f28f831826bc832f7a42ee61c6bb2bb25f0a98c006ae75c8a51873f99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 084582aceee50d122ed70d3e25bcc856
SHA1 647c44808558efa1ea4ffcd0758fb870bc14c90f
SHA256 731b646f2cca1a28d5ed98c6449ef4105f6b9577269aa5df2903c08628c8d4b5
SHA512 4d7a1364b03c22255443424f2827d6e7b1ed0bf055d98dea74286ce84bc4d47695e95d0a56607326bdca347afd673b1ca06dafe09a25d019e7bccf7356164620

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 8917fda047b7f712e168a335e18a375a
SHA1 8f945df60c912e3ace44fc5af90fb21a9f803539
SHA256 0a7f9216ca2a7a65fccefd75fbd47e16f37b379fc598e991b1cc3bb739d2b850
SHA512 b0190ebe3c0da33555c3a07beaafd52f21ee1d51aaee14e8920998e4eb84a6e121d3909a5fa9a993f7bd153d2232492f3b3dabbd00b6a6158aa2c21a6d79ddc6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DABA17F5E36CBE65640DD2FE24F104E7

MD5 c6150925cfea5941ddc7ff2a0a506692
SHA1 9e99a48a9960b14926bb7f3b02e22da2b0ab7280
SHA256 28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996
SHA512 b3bd41385d72148e03f453e76a45fcd2111a22eff3c7f1e78e41f6744735444e058144ed68af88654ee62b0f117949f35739daad6ad765b8cde1cff92ed2d00c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18a225c198d446b50139a68de54d7d86
SHA1 eb70edf14412eecc5a56396ce5c4d34569cd93d6
SHA256 94725b7f3c0ee18cdd04e2884fa08093474abcc563a2b4cd83747939d279ce09
SHA512 9a4ef134f3250c3c765fe5c2956df6edc2c01bcc935dbde4079564431d9e7632712982879e090fa415a0cb7a042fffc4ef973289416d4732ba31fad3ddd2b8d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 532019f28d0c392f00ca5ad78299c27a
SHA1 e6d91f00a63959210df28f7d1cc807f9e28610e4
SHA256 52047dbd221c03ecdfa8a68a2f21880325a0e4539f1ed27a74b677b00f4ea0e8
SHA512 6c60d4a03ac904c67576a17d7403c749ce5931321e7fa6ab585642aac56b55b688de1df93edabeff8354b901de72c63dc95ea2d59d6a3c3ce76e258db98f2414

C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\Assets\exit_close.png

MD5 26eb04b9e0105a7b121ea9c6601bbf2a
SHA1 efc08370d90c8173df8d8c4b122d2bb64c07ccd8
SHA256 7aaef329ba9fa052791d1a09f127551289641ea743baba171de55faa30ec1157
SHA512 9df3c723314d11a6b4ce0577eb61488061f2f96a9746a944eb6a4ee8c0c4d29131231a1b20988ef5454b79f9475b43d62c710839ecc0a9c98324f977cab6db68

C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\Assets\minimize_progress.png

MD5 1504b80f2a6f2d3fefc305da54a2a6c2
SHA1 432a9d89ebc2f693836d3c2f0743ea5d2077848d
SHA256 2f62d4e8c643051093f907058dddc78cc525147d9c4f4a0d78b4d0e5c90979f6
SHA512 675db04baf3199c8d94af30a1f1c252830a56a90f633c3a72aa9841738b04242902a5e7c56dd792626338e8b7eabc1f359514bb3a2e62bc36c16919e196cfd94

C:\Users\Admin\AppData\Local\Temp\7zS089EFFA6\Assets\error_icon_72.png

MD5 4aaf83d2b3fd56ad806708e60474df39
SHA1 144777a265879b69fadea3eb3ac6939458918578
SHA256 84e59d14d9433e6c3d92daeb8c443063b5e3be6c0b297f0403dbde473a05cb3f
SHA512 3b8485f054fe6ed2374bc81cb1786f09741219fbfcb22503707b11cf5db1ab262ba4349633597d5d9ddabc3415b170fa8eebc932f58d211d7092b8fb96fa1304

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 25291cd860864e0ef5410d8ad1fa7438
SHA1 ea73e11980940c534167258a4f82f65ef7bb694e
SHA256 1e55796bcab0310d8d8f48723dfeb42d44077be853307e05fe22c616e81e3549
SHA512 ef333f5d57132368c99ac22d54915ae22c3fef84c0d3bc1a30d291c65aa665e53cbdd02c62dbf6e77927eb796e0f3aa2cea70c1b36e707414564e0a952d92824

memory/984-837-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

memory/984-838-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/984-839-0x000000001A7A0000-0x000000001A7AA000-memory.dmp

C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacksMicroInstaller5.21.301.1005_native_37af3e2585987908aa6f7b6cf80f61e7.exe

MD5 75bcb927b59b52ec59208f12d02ae1b4
SHA1 63d892e26cc322f7f3e630154ded1236693deeb3
SHA256 3128acdfb50a840a1a841b7d3a6d06762d9733d1cc35c743102d0ec100568578
SHA512 f67a9cd9cecbcb50d456740792235d2ffbc187448f9f66a8d7801c08708e23969cee46d21f829abbfa16d9cf44eaa908596c3a6b09e560ff1bfce331491b80a1

\Users\Admin\AppData\Local\Temp\7zS428021E6\BlueStacksInstaller.exe

MD5 8734859b771d26d4b937371217d8d4da
SHA1 83b5b32715718a90ddb68db49fc5e4405e456313
SHA256 aed0c389f812cfe56c4ca0423935c7eed17e85318be99f654b57428dd6c0b881
SHA512 453900ddcd101f750b634c4c89f9bf81a4a267e8af5a2989727bc035d61b65e140838b7f12214cde491f9f7564f3511de625d7d7f65fb25a7d98a4646c3a930f

C:\Users\Admin\AppData\Local\Bluestacks\Logs.log

MD5 ca58d23d0c2a67e0d1e779f167fbd0d2
SHA1 c7724499680c5766377638996ff5538a8a740353
SHA256 cd20caeb8530231375fca498ac7b7c68d6335a28f01b2e0ac5c913962fb008ff
SHA512 7326762148f5d5e51c6594b5105682260b4afea79d6f9b0373f00a7688054877ff731a129d1ff78f5031eaf4ffe6bde288d2ec5dfefd79c6e1f4b8e0d28cac6e

memory/2756-1073-0x0000000000EB0000-0x0000000000F4E000-memory.dmp

memory/2756-1076-0x0000000000C00000-0x0000000000C68000-memory.dmp

memory/984-1086-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a1abb6f374e66f82a123db51d6bc940
SHA1 ccf4eb126d54001203a88e8a5dab603c71fa3238
SHA256 3baf5366010d009b0fe6f77dc117c5be2e166f655378671dd4c2f09ec61b2ea7
SHA512 ca275d510e00502d27d1f13d930ee7bd01fe9b0d85655bae714a67f83ae9123bf744ffa307073810eadeb252144bf08561f3e3a46e514e53fb872b3c74fdd8df

C:\Users\Admin\AppData\Local\Temp\7zS428021E6\Locales\i18n.en-US.txt

MD5 0a041eb21be673b37a9a43f751d83400
SHA1 cf98837aeb730d05ec55252277d2ed41ef58f0ba
SHA256 708132b01a012c3a43a5a7e5550318f6fe72a98139bba7e4f5fb352b9e46db29
SHA512 476051e9cc528c8b72a1ff0aec6f9e05cce4e7069ff4af7e75558664f02a7018304a4d840e694ee811d08895b628da072b1c72b8f605e4212b75a84db66b8b14

memory/2756-1194-0x00000000005C0000-0x00000000005CA000-memory.dmp

memory/2756-1193-0x00000000005C0000-0x00000000005CA000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0f1005157c09290388580f607aef93c
SHA1 35ab2b7a4f3922ffa8c9059c63e613f18607d771
SHA256 4a985e23299b72b0e321b4a761ebc72b35fb4de91c03ccb16cc8ff417959aad7
SHA512 004b6d1cd22e77d72ba67cfd646d92be0dd5ae31fe5a119f099981696f398f12b3b05c14c2ceca1ee22eebbba074b1fc4faeb3dd777c39d39e7e3b57bfc5c5e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dbb8da159e99fbac56c0b0949cb5bafe
SHA1 9b66ef03f7884f8ce9698ef9ae65851a7352cf43
SHA256 0c94f0705d22ffd59d64ae2559eace77df73765f958e1eccaa50bb44440207b6
SHA512 8ef260ad70adc7dd875aa324c951087a4cb1662fbff34c7aad8a46c4b4083661cf78586a35ce094fa3606ed72153128cbd77ef55fdcea602176e2b0dd45f4fbf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 265276519c9c7326a1925891ea682014
SHA1 2f22eef258365c002a8d19afc9b2386babebecd9
SHA256 3ad2e67de13d15fd0aea2688250922776f69778e1bd1e88175bcbd6c042ff175
SHA512 11e057f17e6bd3d65e00b67bb07713fd0e9a9a8a04b2096cc295f87938557dcc2897dd31ff2882b62e2c91abac2652040487f45ce7852f1c23390832dc0b4bbe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ab0cd7284931402dd92c2d118c34e99
SHA1 e80bf7006dc04ebf87e6167eeb381554a0189921
SHA256 8a010b805aaa1b18bc5c5d7337911a4189a69bbe26f3fbb5713b4e50aab267ce
SHA512 069f2f05356b5598cfae4c3290b3556ecf072a06f127cc91bf297a94d110caf8631ed4315d98a0f4886d45dd7d6f94e3ce9c6096986c61a6f23db389e60b7e46

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28dcd2e11b74a7cfd5ec538cd38007bd
SHA1 5fe9f4058921a2c9b9ac0446e9e14d8b6951a64d
SHA256 5a1be80f52278482ff444c52220626c4e83db2f8aa2d05c4f62b912d074df7eb
SHA512 d85b1f072e55b3b1fb6757e4e8546ff7f0817f1b306f72de9f4ad9f9ab85af27f3f159186d999bc49192c121a1a18405e554312221219c7c5a5f6d46b93ca555

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b064651241c2c7dca36a8dc22c25306f
SHA1 d65865cce9ab45c440bcbf676fb704e38c80f932
SHA256 d53dd5675b96b9dd07b460a37f6ebccd0f2ce510ea178fc4260b0723f683fb04
SHA512 41d2d2f94ed03fa22532e827b308d668b96b18b1730c980625739f689c5058691a19e0acd27f2728f25c7a8f0a049f57785fe0c928c235d15f91e5cd0667fcb3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fc302660a8b2cb2cea1634f29785989
SHA1 aa9f0d20d55d335a9c213e1abee8da890a5e1206
SHA256 ea6450530871e6a38217a2e36771d2cca3a73def48b05a68e9d68b5dbd0d3619
SHA512 6b6b04b263e3c9dc745e407e6ed63a03f44cf3da0670e83c980227186e130f7ca2770514dedf19ff157f302eca98d90f798064d30962c6d2e63c1bd931405120

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d059c1e86ff6eaf3bcf80ac760378df
SHA1 f85da89eaa1744c1dcfffd33dd41e260b9fe6f5a
SHA256 9a36504cec69ae97ecabc88473723d0f032a14d6e894ca768e9c56538054b832
SHA512 21e027755f716f6eb7866f5edf492b371c039d8e5c9fcff5fd67676debfe73d9ae1c0788d0da4e48b1bd6d77951f55a9d15c8cf2b5de04752e6656c50020cbb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3264b0d09f0c62907c4b10c121220295
SHA1 83e18a867e8075642717932451534df9ba9d2b7a
SHA256 5901e3de28b733e88c3e536b02ee046f681d951eccffff38ea97bbbb643e8005
SHA512 6854e95b5c7f92b033a23996d915f64d3ca40f4ab6a7eb0b8ae9481820dd7025a0737661a7444100fb8ca39787fcb4f721b9d3f6760163ca34ded73b237f149a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03b1cf4c4a262b61a5a517c62c8ee018
SHA1 2114f3ea644e1f44eb1f8c6fbe53f169b9c24acd
SHA256 1111b2bd05a830ecbbdc9ba2f07049da83420fb5235870ba481edcf107dde236
SHA512 3169861a45b16a334c060c7731099c8bbbf2bfeadbbff570db35e3a92e2994fdd2592b5b67fb143fc566512c4b5c90196391262346698f3edd1ec03f24b108fb

C:\Users\Admin\AppData\Local\Temp\7zS428021E6\Assets\link.png

MD5 ae2c73ee43d722c327c7fb6fdbee905c
SHA1 96f238bf53ac80f5b7a9ad6ef2531e8e3f274628
SHA256 28c0abc6bfe7a155815104883a37a53dd783d142300471064c95eddf3cae0eaf
SHA512 5a1e341f727cf1cb4832cced8e96c5a74971451629603c48bfb91ceb4561d0122ab9ae701f8b34681d5f13115a384467d430ccb8282494b40f4577ebc3ad825b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5370480c5b4947214cbc6addef0fa8a5
SHA1 814779f4986e7d51e91d65e5a20c08bdc66f9991
SHA256 2abbba134570c28ef1037357a6f03258983f115213ae304982bbf64cf4ac90b2
SHA512 c33d7fd2bf40f02c4e570f77109551e6cdd5bb13b02c0fe5c453df57bf3f779d353d8c33ea9272a3f673f6e80be17a6c6f9d16ae8d89d70036881f945778b237

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba1c11883ae4676a14d2bc452f8f1722
SHA1 9dd46447c4e10f810b678b9b2250607ddd059943
SHA256 61add5f04296c4baf771f07eedf480beb7b1f1a53b3a761c54d357601999cffd
SHA512 5ccfe8dbc83afa379dc59672c499ce2912dd2ffb755450122b7fc160e5b8ae5e93a85297d53cf4d9eecce5aff945e900479e2f58ea0ecb88d379046ff3a998d0

memory/2756-1632-0x00000000005C0000-0x00000000005CA000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c572a6879184181696491a74bf22fd9d
SHA1 b2c85b23889638aa54a2f117caba22fe9db0e863
SHA256 3fd9e392255cb49fa58629ad7805bf76bbfab2fcd61fe1a2ad549094b47f2fec
SHA512 99da5c7d402bdeadd4ba24a2eb03e431ad1a5b35c71655b1c76ab5446d3003553befff3985e72869d6b93399b5a1f4fa911b17d4241d2aea1dfe5f57505d4db3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4960c54233ed179319c51730af008af0
SHA1 8ca0cc5688fe2cab6fdb5e93c844549e5850b851
SHA256 b0f4c179475cb4c6489002f020ceae4b75692169a265b53aaeef4bc76070857b
SHA512 9965fc16151c5c24d2a7afcb3697b9615144f993b4027c7af05127159f10ea1bf72d923fd79e4cb7ec5e4e965976a7d9addc2e6d3955bd57e17f3c1eb5cda92c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d324fb5a73a582b99b20621ea25b6bc3
SHA1 5eec60ee43cedfa5cad6d8a79ebf6efda24026bf
SHA256 d73fe8c06110adfa1e31bff81bdfa716af27b487fb89358b553e611f61555266
SHA512 efa2fc81d13c6838bd692833223a62cad2e51d486ab1bb472a60ea363d836213dc39fd65ec250a327473f1b805b279b531050960c29c9bb54600c4c00d6b7a1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6069e9fc76b06d8a639bc32c5b352098
SHA1 f86a948f58de6715ea895f93852543a801d4db7d
SHA256 50bb0d64f2e149dd1f425a5518eb30ffcd136ff7947805b7c5333c17392f230c
SHA512 4d7303fe210114e67cc1eacc9183e19a73da1d754b4b8d9b96c6536813a65d318c4ad0e60dfc7c033e4190704d699f353fa333247c701ae2ed0eb7fec3e6baa2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4444650f7ba9f75245e44836a95f80b
SHA1 67bb7e63f7b190cc145ebec31ac8fe4d3b9bc391
SHA256 0d14c4705cb38aabbc63eb69edd2954cc52bec78e46a1ee52c3e71855542eb4b
SHA512 14298f3f77ea217334d119519c85be1ef5bce2348cf7d52e6b65efc623d33d4b5c3af4ff2ec4e0f180e705dbb68e4bcefc4f4c8596c29b7000a5ad8d3df94cb8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a38617f904aaded8f670940e1c640b0
SHA1 7ac3dccbece5b80ec62cb0d51b471ec6b5281874
SHA256 9a5721f5f3734d1fdc6cbff9ac90eef71621570fd6ce3209e4cd7bfe41848615
SHA512 ca6aaa56e4d8e548d53586bef1f638ac428cbaf912854cbd755b38072c8be05e715771f84630e40227e01360108d6e983a1c73f931b2c7b2a2a96123c4ed68bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55bb3f655650ed0181d8806ebf283eef
SHA1 2907202fbd2cc9a0d04622858b569d8b420440ef
SHA256 2ed8b6d4be6cdfeaffb3fb25c7b1660d967cdfec14f2cd19e1c3e92b0a3f4f57
SHA512 f39a6e505e6458b872b200213762dd2d88f711ad3189b9e827a8d9819f239e487f8a439626a80cc2da4d83018759b19bdd4ee4a5fa4835f32014fe422cbcb20b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca690e0a369a57ac5b9a2552acc376f6
SHA1 c9184474b882f6f9fd36f99c8801bf91353d4098
SHA256 763b188a95e0dbc998d6aec6c44d20c5b7af11694a8f37c626340c3479e32bd2
SHA512 8ec44b5e81afd39e88fda9e507d81678877d28a5357c9e36fa2f3c9bdb3f6a212ecb538732236df3a2f38806bccc7d47ae96fd1049ab116a79203a1b56f0a6d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f41121d1cfc0ea88d1684b6e9e1524c
SHA1 843fcc68db26e389fb6661b17aace10216935cc7
SHA256 d1e98279f67d4c05a5e141bc6c4d1eb3c6acfe533dbe6ba4a051bf51f449b256
SHA512 a378d2c6e7399e3f7296cb203329cba98d4c1afa5cf4a737cde4a635008ec811ede968ea917a3ef0237cf52968eacdce5a5640871edf64ccb7ab89eabc1fac06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd6a6c92b407af9b5a172c21656dc072
SHA1 531b85cfd35705bce03ba252f8f7add162c9affb
SHA256 b10a24afe842f003d04dd499677f940db8d21c18d2f8b7957dd9dbb014ca893d
SHA512 597a9ce303aa8bdc02f258ab321a0e040352919193c881230e46dc9f57278039460cdb07c35ee7113291b606b08c5ba78fab79805f5bc7d1d1befc04866692b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02efea03724ad519b4f19d19c3519f05
SHA1 d0fbe7cedeba530ef1be776f548ef465187df4b8
SHA256 5f2892a5df2381edcbda2efeafbdac4b5255c42587e313502304034685cae215
SHA512 5aab2275dcfb564c9e8a4598f14c0e2256389c526f0b408ce962cb58f4a203107915dd13c99bed374ee045cba6f02bc376ff27aab19af39db891b17cd9e5aeaf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3aebb2baebda3c9e90f7e8e9c5ff702
SHA1 1ebac326f2a59633de00e999c9680dfa0264e0d2
SHA256 b7da960e486261ff60680bfedfba7a0587ec650277f872b8ebeae1915356c9a6
SHA512 51f02f37fbfdd69b00fa88a4270186424ae29eacd9372f25d2b5100e90ffd057ef6a2b997deede3350f650bc173fdb5dbf3f49fb02aa608304e8db6e0a01d922

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 179e58cc5c868b4c1790ae046960a826
SHA1 1326dadd6e597fb69eef8a86464f47c1a2a75d1b
SHA256 e174cca96359d26b0c2f77f82aac0aa158dffb69958fcf4f67fe83ca7a5589c6
SHA512 37a856ccc072f532b786ceea79c5e520bf20dcaa5f01b7f0d1e4130ce30e9bc0656bd622f1a2d505886488dd28b6db0b28dc019066d95dae9b1064dab046e036

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3fa638d757bca441fcf66cf67bab6e3b
SHA1 0098be44e7b0c3fac0c47dd6256e29fe880a1c89
SHA256 34381ce2495ad5a7601897b3ae643a8d85356fdbafa719c84f2ec52889d53596
SHA512 6a8690a0bcfd93149addd3630bb5523f7954f6e66c754b99f014d949ec17083cccf850a882937dbc6f688161e99ec1fc4f61ec9f367cc2b13c5584f943b358f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4cdf7da15ee658ffa2aaa312e74263dc
SHA1 ec570f172e9bed15187e25f8aa1f96cfdfec2658
SHA256 42b33bf4c91c356ea1fffd63449a2af74ca2cbd086d4c2e0e3d07f442ca6d0bb
SHA512 662b62d93428aafefe39fe2cff0af3f03c165ffc6f3c27cafb8df81113697acba37e32285aaa7dab8322f445ce3efcdd8033892d262fc150e6779785f72e52fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd6fd0f33674d545892c7c6760877143
SHA1 6cfa6ec0cc644ea59e7af9797364da8461e4027e
SHA256 c2fc24f2086f0852db056f50bb436625352b2cc6223b8d04f382a12d7a7aa58e
SHA512 7565c570ea1ef7f4b3f9aea3c4476afcdba910ab9d3ca68135652e2d50fa237a1a031b3a4192e8ef7d3e1a1d883df1662cd7379911faafd0c1d257226a89bdda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4eb2e8b3186277f360fb002abdaf52d1
SHA1 49318d294f44e52e44c71dec3dcaa97b3984e8ca
SHA256 3cdde3955a54f29fc5a064cb520f8d48198936cbda89619ff6056152af906ce5
SHA512 cdf6784799e58f53f9a9a8e2d5caf9ec6c9bb4de922a3a35b2820c808faa48b890fb13400d9e02657cc906edd9a15d8503cd5bbfef83262c03f38cbd4d8fc421

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac8c1bd592690088b737e543d7fdaf8e
SHA1 0b7807d0783be03f3533ca3bd13c5d88b5b8d307
SHA256 9123b95044ece3db273cd6a00cd26a0f10ee63d9c34df95ae215ffd0d54fe58e
SHA512 f743f59f26e3445f2a867cba8baf07276d83c267ee416433e48384eda4b816d12b0bd34e90051ab41aa93bd8da1e6bbdf22dec6ea47c28b402110806d708dc17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4469b5bf35517bee31ee171883d1bba8
SHA1 6de7ee507acde7808e65959cb400fe4db4795eaa
SHA256 2b6ebded8a8b81f5441f862b16a04b248472729cd0b2e087e1b7e053ceeba4db
SHA512 15fcbe0b2d9b078aa9c05823afbf459ca15bab30b8bffb18fc277f9c5b65f0aaff40d64a3cb2cb35dd09d1e69fda9a6e43f451c519475cd223a162d8d66b38bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a93cfe2e2f90f1343e748e2ab6ca266
SHA1 f1bb2e8bdf8c152d075a09d4942a125bafa7951f
SHA256 712d45243f5a0bdef7dea75fe80b63209c88af8d9ef2b3d6dcde8d0a59d5d5b6
SHA512 6de68a37b34bb07f7b0be45baf2272aa3226dabefc8598dcd7c066327320fcb71dc167ac5a62ccc9fdf5df7fec042426d2e6d56b36c52772d09c1edd171a4605