80b9ed664e92c955f8a6944075a33d96666d6400d6a6ea10977f68e64e152989

Analysis

max time kernel
93s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows7Games_for_Windows_11_10_8.exe
Size

146.7MB
MD5

9b0166d0569f6f5371b10521e105e957
SHA1

3204f8f6084afffd12ac3aaf907ab7828ffda8b0
SHA256

80b9ed664e92c955f8a6944075a33d96666d6400d6a6ea10977f68e64e152989
SHA512

46511185c10a7c6747a270a05f5450b66c5eb20621fc9107a444fa3c509a789986c06f4b6a2a58b75d3897b4934cfbfd72638dcc20ce75f803ce9a42c99b3a0a
SSDEEP

3145728:wc5apNl/YrhWp5iJC3+V4wOn5t7jMBel/M+eIVZ3ddvZBNnUxzaykG92:wlNl/YrEp5QCuV4whBel/5eS3HvZnu7Q

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1348	PurblePlace.exe

Loads dropped DLL 5 IoCs

pid	Process
4344	Windows7Games_for_Windows_11_10_8.exe
4344	Windows7Games_for_Windows_11_10_8.exe
4344	Windows7Games_for_Windows_11_10_8.exe
4344	Windows7Games_for_Windows_11_10_8.exe
1348	PurblePlace.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	Windows7Games_for_Windows_11_10_8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\Minesweeper.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\PurblePlace.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\FreeCell\CardGames.dll	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Hearts\it-IT\Hearts.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\Hearts.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Hearts\uk-UA\Hearts.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\uk-UA\Minesweeper.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Chess\chess.dll	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Mahjong\de-DE\Mahjong.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Purble Place\uk-UA\PurblePlace.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\uk-UA\SpiderSolitaire.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\Hearts.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ja-JP\Mahjong.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Solitaire\es-ES\Solitaire.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Solitaire\ja-JP\Solitaire.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\SpiderSolitaire.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Chess\uk-UA\chess.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\Minesweeper.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\Minesweeper.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Purble Place\en-US\PurblePlace.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Purble Place\CardGames.dll	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Solitaire\uk-UA\Solitaire.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\PurblePlace.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Solitaire\en-US\Solitaire.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File opened for modification	C:\Program Files\Microsoft Games	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\chess.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Hearts\fr-FR\Hearts.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\Minesweeper.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\es-ES\Minesweeper.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Purble Place\slc.dll	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Chess\es-ES\chess.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Mahjong\uk-UA\Mahjong.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\slc.dll	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Chess\slc.dll	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\Mahjong.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\Mahjong.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Solitaire\CardGames.dll	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Chess\CardGames.dll	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\FreeCell\slc.dll	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\Minesweeper.exe	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\CardGames.dll	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\Solitaire.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\slc.dll	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\SpiderSolitaire.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Chess\ChessMCE.png	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Chess\en-US\chess.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\chess.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\Minesweeper.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Purble Place\fr-FR\PurblePlace.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\PurblePlace.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\SpiderSolitaire.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\FreeCell\uk-UA\FreeCell.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Hearts\en-US\Hearts.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\Mahjong.exe.mui	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\Minesweeper.dll	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.dll	Windows7Games_for_Windows_11_10_8.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\SpiderSolitaire.exe.mui	Windows7Games_for_Windows_11_10_8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftHeartsSaveFile\Shell\Open\Command	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftMinesweeperSaveFile\Shell\Open\Command\ = "\"C:\\Program Files\\Microsoft Games\\Minesweeper\\Minesweeper.exe\" \"%L\""	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.PurblePairsSave-ms\ = "MicrosoftPurblePairsSaveFile"	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftChessTitansSaveFile\DefaultIcon\ = "C:\\Program Files\\Microsoft Games\\Chess\\chess.exe,0"	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftMahjongTitansSaveFile\DefaultIcon\ = "C:\\Program Files\\Microsoft Games\\Mahjong\\Mahjong.exe,0"	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftMahjongTitansSaveFile\DefaultIcon	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftMahjongTitansSaveFile\Shell	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftPurbleShopSaveFile\Shell	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftSolitaireSaveFile\Shell\Open\Command	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftSolitaireSaveFile\Shell\Open	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftFreeCellSaveFile\Shell	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftChessTitansSaveFile\Shell	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftHeartsSaveFile\Shell	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftMahjongTitansSaveFile\ = ".MahjongTitansSave-ms"	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftSolitaireSaveFile\ = ".SolitaireSave-ms"	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftChessTitansSaveFile\ = ".ChessTitansSave-ms"	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftFreeCellSaveFile\Shell\Open\Command	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftSolitaireSaveFile\Shell\Open\Command\ = "\"C:\\Program Files\\Microsoft Games\\Solitaire\\Solitaire.exe\" \"%L\""	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftFreeCellSaveFile\ = ".FreeCellSave-ms"	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.MahjongTitansSave-ms	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftMahjongTitansSaveFile\Shell\Open\Command	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftPurbleShopSaveFile\Shell\Open\Command\ = "\"C:\\Program Files\\Microsoft Games\\Purble Place\\PurblePlace.exe\" \"%L\""	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.HeartsSave-ms	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.HeartsSave-ms\ = "MicrosoftHeartsSaveFile"	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftMahjongTitansSaveFile\Shell\Open	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.PurbleShopSave-ms	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftPurblePairsSaveFile\DefaultIcon\ = "C:\\Program Files\\Microsoft Games\\Purble Place\\PurblePlace.exe,0"	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftSolitaireSaveFile\DefaultIcon\ = "C:\\Program Files\\Microsoft Games\\Solitaire\\Solitaire.exe,0"	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftSpiderSolitaireSaveFile\DefaultIcon	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftSpiderSolitaireSaveFile\DefaultIcon\ = "C:\\Program Files\\Microsoft Games\\SpiderSolitaire\\SpiderSolitaire.exe,0"	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftFreeCellSaveFile\DefaultIcon\ = "C:\\Program Files\\Microsoft Games\\FreeCell\\FreeCell.exe,0"	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftPurblePairsSaveFile\FriendlyTypeName = "@C:\\Program Files\\Microsoft Games\\Purble Place\\PurblePlace.exe,-253"	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftSolitaireSaveFile\Shell	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftMinesweeperSaveFile	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftPurbleShopSaveFile\Shell\Open	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftPurblePairsSaveFile\DefaultIcon	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftMinesweeperSaveFile\ = ".MinesweeperSave-ms"	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftPurblePairsSaveFile\Shell\Open	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftHeartsSaveFile	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ComfyCakesSave-ms\ = "MicrosoftComfyCakesSaveFile"	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftSpiderSolitaireSaveFile	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftFreeCellSaveFile\Shell\Open\Command\ = "\"C:\\Program Files\\Microsoft Games\\FreeCell\\FreeCell.exe\" \"%L\""	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftMahjongTitansSaveFile\Shell\Open\Command\ = "\"C:\\Program Files\\Microsoft Games\\Mahjong\\Mahjong.exe\" \"%L\""	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftMinesweeperSaveFile\DefaultIcon	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftPurbleShopSaveFile\DefaultIcon	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftFreeCellSaveFile	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.FreeCellSave-ms	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.MinesweeperSave-ms	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftPurblePairsSaveFile\Shell	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ComfyCakesSave-ms	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftSpiderSolitaireSaveFile\Shell\Open\Command	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftChessTitansSaveFile\Shell\Open\Command	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftComfyCakesSaveFile\DefaultIcon\ = "C:\\Program Files\\Microsoft Games\\Purble Place\\PurblePlace.exe,0"	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftChessTitansSaveFile\DefaultIcon	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.PurbleShopSave-ms\ = "MicrosoftPurbleShopSaveFile"	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.SolitaireSave-ms	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftSolitaireSaveFile	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftHeartsSaveFile\DefaultIcon	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftSpiderSolitaireSaveFile\Shell	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftSpiderSolitaireSaveFile\Shell\Open	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.SpiderSolitaireSave-ms	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftComfyCakesSaveFile\DefaultIcon	Windows7Games_for_Windows_11_10_8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftSolitaireSaveFile\FriendlyTypeName = "@C:\\Program Files\\Microsoft Games\\Solitaire\\Solitaire.exe,-125"	Windows7Games_for_Windows_11_10_8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftPurblePairsSaveFile\Shell\Open\Command	Windows7Games_for_Windows_11_10_8.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1604	msedge.exe
1604	msedge.exe
4604	msedge.exe
4604	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1348	PurblePlace.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe
4616	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 4616	4344	Windows7Games_for_Windows_11_10_8.exe	89
PID 4344 wrote to memory of 4616	4344	Windows7Games_for_Windows_11_10_8.exe	89
PID 4616 wrote to memory of 3836	4616	msedge.exe	90
PID 4616 wrote to memory of 3836	4616	msedge.exe	90
PID 4344 wrote to memory of 4380	4344	Windows7Games_for_Windows_11_10_8.exe	91
PID 4344 wrote to memory of 4380	4344	Windows7Games_for_Windows_11_10_8.exe	91
PID 4380 wrote to memory of 4400	4380	msedge.exe	92
PID 4380 wrote to memory of 4400	4380	msedge.exe	92
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4380 wrote to memory of 3520	4380	msedge.exe	93
PID 4616 wrote to memory of 1224	4616	msedge.exe	95
PID 4616 wrote to memory of 1224	4616	msedge.exe	95
PID 4616 wrote to memory of 1224	4616	msedge.exe	95
PID 4616 wrote to memory of 1224	4616	msedge.exe	95
PID 4616 wrote to memory of 1224	4616	msedge.exe	95
PID 4616 wrote to memory of 1224	4616	msedge.exe	95
PID 4616 wrote to memory of 1224	4616	msedge.exe	95
PID 4616 wrote to memory of 1224	4616	msedge.exe	95
PID 4616 wrote to memory of 1224	4616	msedge.exe	95
PID 4616 wrote to memory of 1224	4616	msedge.exe	95
PID 4616 wrote to memory of 1224	4616	msedge.exe	95
PID 4616 wrote to memory of 1224	4616	msedge.exe	95
PID 4616 wrote to memory of 1224	4616	msedge.exe	95
PID 4616 wrote to memory of 1224	4616	msedge.exe	95
PID 4616 wrote to memory of 1224	4616	msedge.exe	95
PID 4616 wrote to memory of 1224	4616	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\Windows7Games_for_Windows_11_10_8.exe
"C:\Users\Admin\AppData\Local\Temp\Windows7Games_for_Windows_11_10_8.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://winaero.com/download-windows-7-games-for-windows-11/?utm_source=software&utm_medium=in-app&utm_campaign=win7games&utm_content=finishpagelink
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff972346f8,0x7fff97234708,0x7fff97234718
    3⤵
    PID:3836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,13009866426730781813,7663565445616706396,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:1224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,13009866426730781813,7663565445616706396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,13009866426730781813,7663565445616706396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1468 /prefetch:8
    3⤵
    PID:2328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009866426730781813,7663565445616706396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:2460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009866426730781813,7663565445616706396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:4784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13009866426730781813,7663565445616706396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
    3⤵
    PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://winaero.com/winaero-tweaker/?utm_source=software&utm_medium=in-app&utm_campaign=win7games&utm_content=learnmorelink
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff972346f8,0x7fff97234708,0x7fff97234718
    3⤵
    PID:4400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,11627256140756712479,4130547657004078355,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
    3⤵
    PID:3520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,11627256140756712479,4130547657004078355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2964

C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe
"C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Games\Minesweeper\CardGames.dll

Filesize
5.9MB

MD5
6794d9d442e31dc5e95bdf65f37e4386

SHA1
2d89db0e066099e514f5f626ce427a0cd39b9d70

SHA256
959f28d9c016d64552321a46c8179fdb5241f24dedfacbb71c4dd2d51da0b05a

SHA512
6fbbb495d592e7eed498e4106576433ca695570e5eef0edabf311d5e039e194c3cdc2e2f6bba7909c95e263c151ccb5f29014415a719699f9c17bf3d4e4f5459

Download Submit
C:\Program Files\Microsoft Games\Minesweeper\slc.dll

Filesize
2KB

MD5
aabd4974253599aac885e14b8b59c0e6

SHA1
675305e6d3b557cfd849182c0052222d95d8d817

SHA256
9c2ad5c652b0c183e8f9451232bad811f040d93be5557febf6ad47a694642148

SHA512
8f75cdd0d5e57b98b3a79ea317aa6b6beaafd2e1c4415caa7071741558d69d0425c1dc16812592c223e0c3e99f8b7bc9d6edf169c80b4d1306a17883ea841668

Download Submit
C:\Program Files\Microsoft Games\Purble Place\PurblePlace.dll

Filesize
27.3MB

MD5
4b9ddb69ecff690407df6cd677a8f21e

SHA1
f74d8dc522b2f6401d6b77f82ecc996616a10e89

SHA256
faae4466e1b5fe6103891f69db68f8a1f59e46d727b87143abfb38771d7bed8a

SHA512
c19485e8da085be7cf18c6dc0c508a3269469c413e854247076620c8a55f3f3adf180c91f1a2e545bd71a6d806cd6e6188a078aa4ad81c2379520110497baea6

Download Submit
C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe

Filesize
1.2MB

MD5
4c52d613c756427e59cb9ad57bf554ed

SHA1
4cfa9f46e806aaa3c6b5b2eb6de8e2096215c947

SHA256
44028407c9d0ded4f134dce6450bebc03058f75c88d5cb9e0c6b542738b96b0f

SHA512
e6f410f642d1b0044f8a43ff59d10becb44cb368d84f58323c9b30debc6e7be752b9d8a044089fc1cd55d808db348fb7cc0284c60d905225889c82ed20d6de65

Download Submit
C:\Program Files\Microsoft Games\Purble Place\PurblePlace2.dll

Filesize
8.0MB

MD5
0ff1a20e2c57e578b00060850cbae828

SHA1
4548857453f3fe160eb9138c73380b0ee420d138

SHA256
d8f3d78ff3773cc1d57545041739a056eb12bff78cd2311ff62bc32a9e34bd61

SHA512
c341a9a43858ba1ab5c9cb66ce0763d2be6b1f19c5b5b7db60200e53bc4bc0d041d071405cce743c33c7b97949da69619ac1e8a346cbb6bafb2a137f7dfe4c5e

Download Submit
C:\Program Files\Microsoft Games\Purble Place\en-US\PurblePlace.exe.mui

Filesize
147KB

MD5
158588e518103aa47a6dd8410e556f51

SHA1
9ce8c5cbecbf377daf03e45e57013da883a8699d

SHA256
6832e5039a96fbe2c27faed617c20f362b8f7cb0a7a955336a1b6c2b0d08018e

SHA512
b8772c6e473979a34fd25d7033db32fc5c012f6e7f5f35964357ab01190f9fedd04b90796629402243f28b745dd095000c1b51f7aabdf31d8a1b9ef37e7193a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ef742bf76aef93c8bb8ecfdc8bf11d08

SHA1
e282a259d92cf11159785c70e0252d16d0025d2e

SHA256
6f78242c6aa18386920c71f5e2e900774cd78d3afddef6b2f512c964e512fd12

SHA512
00b7b071f5f38d0ba5d6c49a643c20fb7912c2c3698f3d3cd555666671d9e9ac969e5a64f7c6b032c6e360d4600d3ee30703e4e1aeb569a4a6ff98576fe0f980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
757761d77948f9bbe5afc7fa878de593

SHA1
63f48f059fd3bd29f6feea8d836d1fd516763145

SHA256
6b64a2befe09567f0c5c94b9a53daa5ca665a581e02b267e922ed1fdcc4eaf94

SHA512
c8d14a1164ac5e2a5ee8c8493d12d9cb4d04aa12c2f17c71c4e9717b9387adea67e00abeed4fa127823d3385c9b1bb3e3bb5ee7ffd24bd484775b7edda12fc23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
4997397e13a41e4e7c8e8fa3bac16e59

SHA1
2d295603d8367274ffa6ad8f7b1fe3e905d911d0

SHA256
205460df66578da19af2817ae61954b7464c522247e7ee567cfd1d9a8fcba6fd

SHA512
6940b15aef6ce35fb8d69d6892d328586cf5eced09562baf81be843f787aa06592b2ada8d63a292f0facfeeaa99b32ce1553f56d835c07b2d61bf3cbf7697a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv5517.tmp\BrandingURL.dll

Filesize
4KB

MD5
71c46b663baa92ad941388d082af97e7

SHA1
5a9fcce065366a526d75cc5ded9aade7cadd6421

SHA256
bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e

SHA512
5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv5517.tmp\LangDLL.dll

Filesize
5KB

MD5
b21a3377e66b941df6d5b7cf8ba7a43a

SHA1
e7ed27fce2db9cdc11ca3c640806731dcef3864a

SHA256
ba46a03088f690ce966043f49761ff3a3a0dca236160794de841dfecc3588d1e

SHA512
f011a824c0ff7f87c6da112898f4afc87e12c5b39fb40ffcc0955012e79a4302597d892224b3b47e8143480605c73275d3799d6d2000cdf179c2912241f86916

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv5517.tmp\System.dll

Filesize
12KB

MD5
792b6f86e296d3904285b2bf67ccd7e0

SHA1
966b16f84697552747e0ddd19a4ba8ab5083af31

SHA256
c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

SHA512
97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv5517.tmp\modern-wizard.bmp

Filesize
201KB

MD5
4912001f1bf2f53fb748c1455438c935

SHA1
e11c36c9f013c1b47be9e8d217e1ab33a12b2768

SHA256
0e6ef99ae0596ce282cb46138b8fb48c55620164f2b74b588cb66936d3ba3aa1

SHA512
42396d1a061e2af67af219e3b648e9633d5f245f72585acde0da8ca7b3733bf6cc774546b8a1af041dc6a8705caa3a31732b683b140491a433d241dbdf8ff4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv5517.tmp\nsDialogs.dll

Filesize
9KB

MD5
f5b0c649b0cfc103fb113d013d48cacb

SHA1
f89286966000cb053b7e94100c76ec6d1129af07

SHA256
a87bd092fa5bc00661525455b9f866b68c14c29224520c4e38f56f47234cfc1e

SHA512
e184101a03ee1c8896efb0029a02a23e46d422bc0f250ef15349c8214d44156afe2b5f739d8a2339bc2d1c05984fc55651c36c71897cd4b14f41dd37a25cfb01

Download Submit