0e6df159e58f9c47bddae3fd9d307ba039289981f55d9f1a2d66539a27ae4e2b

Analysis

max time kernel
81s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2025, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Train.Simulator.Classic.v73.9a.Incl.ALL.DLC/Train.Simulator.Classic.v73.9a.Incl.ALL.DLC/Install/Phys.exe
Size

32.4MB
MD5

a91dc17d650098cd3273b78dc1f36932
SHA1

58d4da52bedd606abbf8ea6a5d5008dae3d413a9
SHA256

449ad1fd72e9ceb6738a921fd803d3da1671048e49b0f4248fa7bb9bde3a4732
SHA512

62b78e64cdb74be78dbec6ca4c7a441b7002b85032b2b7f5ccb0f1aa9d2ac828987a5335f9a881c5d560e45e54cd46dd09d12c0725031ac89dde48a71c65f504
SSDEEP

786432:IxSGhM//IkbzhC9Bqq3RH6tSZUiPfVs1OgAwlx:LYsA3RH6YBVs15lx

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Phys.exe

Executes dropped EXE 2 IoCs

pid	Process
3604	MSI7ACC.tmp
4800	MSI7B0B.tmp

Loads dropped DLL 14 IoCs

pid	Process
1408	MsiExec.exe
1408	MsiExec.exe
1408	MsiExec.exe
1408	MsiExec.exe
1408	MsiExec.exe
1408	MsiExec.exe
224	MsiExec.exe
224	MsiExec.exe
224	MsiExec.exe
224	MsiExec.exe
224	MsiExec.exe
224	MsiExec.exe
224	MsiExec.exe
224	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.8.1\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.7.2\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.3.1\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.6.1\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.7.5\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.7.1\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.8.3\PhysXCooking64.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.3.2\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.4.4\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.6.2\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.7.4\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\DO_NOT_MANUALLY_DELETE_ANY_SUBFOLDERS.txt	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.7.3\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.3.2\NxCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.3.3\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.4.4\NxCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.6.3\PhysXCore.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS3F5C371F8EA24F259D3DD0B4526E3AEA_9_10_0513.MSI	Phys.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.8.3\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.5.1\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.5.4\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.6.0\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.6.1\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.4.1\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.7.0\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\A_Ball_Trans.ico	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common\physxcudart_20.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common\PhysXLoader.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.7.1\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.7.6\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.4.0\NxCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common\cudart64_30_9.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.7.6\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.6.2\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.7.0\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.7.2\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.6.4\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.5.4\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.6.0\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common\cudart32_30_9.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common\physxcudart64_20.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.8.3\PhysXCore64.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.4.1\NxCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common\PhysXLoader64.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common\PhysXDevice.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.6.4\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.3.1\NxCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.5.0\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.5.3\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common\PhysXDevice64.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.7.3\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.7.5\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.5.3\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.7.4\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.4.0\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.8.0\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS3F5C371F8EA24F259D3DD0B4526E3AEA_9_10_0513.MSI	Phys.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.3.3\NxCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.5.0\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.5.1\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.8.1\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.8.3\PhysXCore.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.6.3\PhysXCooking.dll	msiexec.exe
File created	C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\v2.8.0\PhysXCore.dll	msiexec.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7404.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI69A2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CCF.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA}\A_Ball_Trans.72AC20DB_37D3_1016_B346_A7FD958F5C39.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B0B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CC3.tmp	msiexec.exe
File created	C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP\WiseCustomCalla.dll	MsiExec.exe
File opened for modification	C:\Windows\Installer\e586915.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CF2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D03.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA}\A_Ball_Trans.EFBABE66_E43C_474F_A6F1_F0312317E9E1.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA}\A_Ball_Trans.72AC20DB_37D3_1016_B346_A7FD958F5C39.ico	msiexec.exe
File created	C:\Windows\Installer\e586917.msi	msiexec.exe
File created	C:\Windows\Installer\e586915.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA}\A_Ball_Trans.EFBABE66_E43C_474F_A6F1_F0312317E9E1.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7ACC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C93.tmp	msiexec.exe
File opened for modification	C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP\WiseData.ini	MsiExec.exe
File created	C:\Windows\Installer\SourceHash{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI7ACC.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI7B0B.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff39bb976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d41ba55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 52 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A64_Eng_2.8.3.37.msm = "PhysX_A64_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.7.3.50.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.6.1.6.msm = "PhysX_A32_Engines"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\SourceList\Net\1 = "C:\\Program Files (x86)\\Common Files\\Wise Installation Wizard\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.7.1.40.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.6.4.6.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.4.4.4.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.4.1.4.msm = "PhysX_A32_Engines"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\SourceList\PackageName = "WIS3F5C371F8EA24F259D3DD0B4526E3AEA_9_10_0513.MSI"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.8.1.51.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.7.6.30.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.6.2.6.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.5.0.16.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.4.0.3.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\Version = "151650817"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\61A06632C8ACCC042938A4584BF90122	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\61A06632C8ACCC042938A4584BF90122\F173C5F32AE852F4D9D30D4B25E6A3AE	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.3.2.5.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.3.1.2.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A64_Control_Panel = "PhysX_A64_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A64_Engines	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.7.2.9.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.7.0.9.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.6.3.6.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.5.1.5.msm = "PhysX_A32_Engines"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\SourceList\Media\DiskPrompt = "[ProductName] [1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.6.0.5.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.3.3.4.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\ProductName = "NVIDIA PhysX"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.5.4.2.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.5.3.2.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\SourceList\LastUsedSource = "n;1;C:\\Program Files (x86)\\Common Files\\Wise Installation Wizard\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Engines	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.8.3.37.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.7.5.37.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.7.4.30.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\PackageCode = "EE43A566D8A80ED409E3B0C01FA2557B"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Control_Panel = "PhysX_A32_Engines"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F173C5F32AE852F4D9D30D4B25E6A3AE\PhysX_A32_Eng_2.8.0.39.msm = "PhysX_A32_Engines"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F173C5F32AE852F4D9D30D4B25E6A3AE\SourceList\Media\1 = ";LABEL"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3644	msiexec.exe
3644	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3844	msiexec.exe
Token: SeSecurityPrivilege	3644	msiexec.exe
Token: SeCreateTokenPrivilege	3844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3844	msiexec.exe
Token: SeLockMemoryPrivilege	3844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3844	msiexec.exe
Token: SeMachineAccountPrivilege	3844	msiexec.exe
Token: SeTcbPrivilege	3844	msiexec.exe
Token: SeSecurityPrivilege	3844	msiexec.exe
Token: SeTakeOwnershipPrivilege	3844	msiexec.exe
Token: SeLoadDriverPrivilege	3844	msiexec.exe
Token: SeSystemProfilePrivilege	3844	msiexec.exe
Token: SeSystemtimePrivilege	3844	msiexec.exe
Token: SeProfSingleProcessPrivilege	3844	msiexec.exe
Token: SeIncBasePriorityPrivilege	3844	msiexec.exe
Token: SeCreatePagefilePrivilege	3844	msiexec.exe
Token: SeCreatePermanentPrivilege	3844	msiexec.exe
Token: SeBackupPrivilege	3844	msiexec.exe
Token: SeRestorePrivilege	3844	msiexec.exe
Token: SeShutdownPrivilege	3844	msiexec.exe
Token: SeDebugPrivilege	3844	msiexec.exe
Token: SeAuditPrivilege	3844	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3844	msiexec.exe
Token: SeChangeNotifyPrivilege	3844	msiexec.exe
Token: SeRemoteShutdownPrivilege	3844	msiexec.exe
Token: SeUndockPrivilege	3844	msiexec.exe
Token: SeSyncAgentPrivilege	3844	msiexec.exe
Token: SeEnableDelegationPrivilege	3844	msiexec.exe
Token: SeManageVolumePrivilege	3844	msiexec.exe
Token: SeImpersonatePrivilege	3844	msiexec.exe
Token: SeCreateGlobalPrivilege	3844	msiexec.exe
Token: SeCreateTokenPrivilege	3844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3844	msiexec.exe
Token: SeLockMemoryPrivilege	3844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3844	msiexec.exe
Token: SeMachineAccountPrivilege	3844	msiexec.exe
Token: SeTcbPrivilege	3844	msiexec.exe
Token: SeSecurityPrivilege	3844	msiexec.exe
Token: SeTakeOwnershipPrivilege	3844	msiexec.exe
Token: SeLoadDriverPrivilege	3844	msiexec.exe
Token: SeSystemProfilePrivilege	3844	msiexec.exe
Token: SeSystemtimePrivilege	3844	msiexec.exe
Token: SeProfSingleProcessPrivilege	3844	msiexec.exe
Token: SeIncBasePriorityPrivilege	3844	msiexec.exe
Token: SeCreatePagefilePrivilege	3844	msiexec.exe
Token: SeCreatePermanentPrivilege	3844	msiexec.exe
Token: SeBackupPrivilege	3844	msiexec.exe
Token: SeRestorePrivilege	3844	msiexec.exe
Token: SeShutdownPrivilege	3844	msiexec.exe
Token: SeDebugPrivilege	3844	msiexec.exe
Token: SeAuditPrivilege	3844	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3844	msiexec.exe
Token: SeChangeNotifyPrivilege	3844	msiexec.exe
Token: SeRemoteShutdownPrivilege	3844	msiexec.exe
Token: SeUndockPrivilege	3844	msiexec.exe
Token: SeSyncAgentPrivilege	3844	msiexec.exe
Token: SeEnableDelegationPrivilege	3844	msiexec.exe
Token: SeManageVolumePrivilege	3844	msiexec.exe
Token: SeImpersonatePrivilege	3844	msiexec.exe
Token: SeCreateGlobalPrivilege	3844	msiexec.exe
Token: SeCreateTokenPrivilege	3844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3844	msiexec.exe
Token: SeLockMemoryPrivilege	3844	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3844	msiexec.exe
3844	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 3844	2572	Phys.exe	81
PID 2572 wrote to memory of 3844	2572	Phys.exe	81
PID 2572 wrote to memory of 3844	2572	Phys.exe	81
PID 3644 wrote to memory of 1408	3644	msiexec.exe	84
PID 3644 wrote to memory of 1408	3644	msiexec.exe	84
PID 3644 wrote to memory of 1408	3644	msiexec.exe	84
PID 3644 wrote to memory of 4968	3644	msiexec.exe	95
PID 3644 wrote to memory of 4968	3644	msiexec.exe	95
PID 3644 wrote to memory of 224	3644	msiexec.exe	97
PID 3644 wrote to memory of 224	3644	msiexec.exe	97
PID 3644 wrote to memory of 224	3644	msiexec.exe	97
PID 3644 wrote to memory of 3604	3644	msiexec.exe	99
PID 3644 wrote to memory of 3604	3644	msiexec.exe	99
PID 3644 wrote to memory of 3604	3644	msiexec.exe	99
PID 3644 wrote to memory of 4800	3644	msiexec.exe	100
PID 3644 wrote to memory of 4800	3644	msiexec.exe	100
PID 3644 wrote to memory of 4800	3644	msiexec.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Train.Simulator.Classic.v73.9a.Incl.ALL.DLC\Train.Simulator.Classic.v73.9a.Incl.ALL.DLC\Install\Phys.exe
"C:\Users\Admin\AppData\Local\Temp\Train.Simulator.Classic.v73.9a.Incl.ALL.DLC\Train.Simulator.Classic.v73.9a.Incl.ALL.DLC\Install\Phys.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS3F5C371F8EA24F259D3DD0B4526E3AEA_9_10_0513.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\AppData\Local\Temp\Train.Simulator.Classic.v73.9a.Incl.ALL.DLC\Train.Simulator.Classic.v73.9a.Incl.ALL.DLC\Install\Phys.exe"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3844

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4D80CE3B55BCCBB673AEEEDD382F7774 C
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1408
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4968
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D9827A4DB324455937F41C7568E303D8
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:224
- C:\Windows\Installer\MSI7ACC.tmp
  "C:\Windows\Installer\MSI7ACC.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3604
- C:\Windows\Installer\MSI7B0B.tmp
  "C:\Windows\Installer\MSI7B0B.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e586916.rbs

Filesize
45KB

MD5
f2811517cab9c173e2407bd15d32920f

SHA1
2196e67ae2ac99d762db781ab7159e7c6a96e5a3

SHA256
575625383a80f1330813e66c1b3bcdc48c784b12cd147072a0b8a939722b6633

SHA512
4877e03d1aed1ce340c1720e9fb87317db4091de4375fa485018cdf2a1e883f6fc5785b58294f0164a8606af1929deb595a0852df28b2745662f4a8069f1e00e

Download Submit
C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS3F5C371F8EA24F259D3DD0B4526E3AEA_9_10_0513.MSI

Filesize
25.7MB

MD5
375324aca01886eeb28a5b9f8b2cfee7

SHA1
8b1fa42efff161d621ac58607f4d72c3d59df6cf

SHA256
f9ba0d1c1bf8b81e2c32462485b78c0fad8f28ea6816ddf892c8783632769073

SHA512
d24d61cc1c1286d2bf00ad5532ed2eb2752f7e8c87a1504be2d85a3baed4ceed5a29cc8e2ee66caa93ba0e87150fe69e505097fb5e59ca5f384bc29d28cdbd97

Download Submit
C:\Program Files (x86)\NVIDIA Corporation\PhysX\Engine\DO_NOT_MANUALLY_DELETE_ANY_SUBFOLDERS.txt

Filesize
1B

MD5
7215ee9c7d9dc229d2921a40e899ec5f

SHA1
b858cb282617fb0956d960215c8e84d1ccf909c6

SHA256
36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068

SHA512
f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI267E.tmp

Filesize
22KB

MD5
1368fe994fce9c1ddaf3b01db45bbf79

SHA1
9debc04f4de1dea0e49844b844c5521c230eb3f8

SHA256
0044aac10bf23b3e27ba8c274933fad40e7418944387a745827139913ecdf095

SHA512
856f1bc5e96c7f989394b9259f6b7dad388d3d19f4ce91abd4db5d0becf1eac284a00fed067f2e6f5220db770d8baa5627c7746b8bfc1cc2a16d5d0ee8ce566c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI272B.tmp

Filesize
126KB

MD5
48a8123016d261e45ee807c0e238a971

SHA1
d7c8bc1e4d6437697f137cff3eca0e31e49a55cf

SHA256
871f195e12ebb609e6179756092a5821e78cbf920c5c3c7da9ceb01aca991a78

SHA512
a03ed081d740160f92f0f46315e3eff6aa7ac1b6ca65c28be595a802b4d32614cc778d57792b0fbc68ec2ce7382bfcee6c4009226cb2b5428c5819d3b6d5828f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI82248.LOG

Filesize
13KB

MD5
2bc72e200e7e119b048ff36bbca20ff4

SHA1
44306b5b48679033a8d95bc3f67d1959331d2c29

SHA256
1a2bc3b748b1ed2e30d256e23c77eb7cbccb58b934420a38eeffe5e35fd38c84

SHA512
afe2451f00df3c5d63701d6eabb16181f2dc81c8bcc038df479362d5af5a3d17114d9a63db980f4623665a7eb677c402ecc7b7857f9a90e1863e9090f6053b5e

Download Submit
C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP\WiseCustomCalla.dll

Filesize
196KB

MD5
154e3e1be8a54020ad36c4c0c7f3d126

SHA1
336d77566688eea6b14f45d5f43bc5db94fd63af

SHA256
1691bd3ed63e2f076c324263cb4f9a8e1abc0f57716d8b70e6115e95c9b0128b

SHA512
7d14f6c4b55aef1c4fc2a2f0d8cf7d2df8d68dd9a4ac46049364ab372d6059bd8ff9363b41381142991602c429a872773b7118d656447c4dad56731e9e3e77ec

Download Submit
C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP\WiseData.ini

Filesize
4KB

MD5
84675ecbe2831608022fc285bef11b6a

SHA1
1cbeaa088b33cde15f94707cf64b8ac836fae679

SHA256
de5604f84f118580eea8ed872091eba3543b3adca46d46240928cb3999d2851f

SHA512
fa1084aeade2e7004c65a0668e560b079a66da2d99e5bb0f8f1842102c0feee169699ef8bbbf7fcb7399f0634c0f7138246094b6feb646dfb4c2ed56cd56718b

Download Submit
C:\Windows\Installer\MSI7ACC.tmp

Filesize
61KB

MD5
ab04eb816c8a3fb76ac88692b23b5117

SHA1
48ac4f4746e3e7a3b7f597ead537fea8505d51ff

SHA256
f18a5ab55e7c505cd09dfedca61a22a9281639fe2ae2766a96469ae9977346b5

SHA512
51da4583f5dae5a28b1f157db2443ace9ff3ecc69bf6d5dd326064ae34461ca2b312af808e56b5ff264f6cea5249c9d53447eaaefe02a3cc585851f962ba8bfd

Download Submit
C:\Windows\Installer\MSI7C93.tmp

Filesize
52KB

MD5
35aeffe3ca4a465a03986b076cc52624

SHA1
b0a7aa6359e3d7b526c62705a5fb2e8900c73126

SHA256
bc9391c79d1468ba98461eedc30c8cd36dba02913fcef0a17a82fd3a0ae47ad8

SHA512
5c1de89109d028b4ed286309724408c44fd4cc23468e35052d314d1fe4dbaa436f309175137a60b6837761476d1df93ecc493ca119e227187b6adb20969d4d35

Download Submit
C:\Windows\Installer\{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA}\A_Ball_Trans.72AC20DB_37D3_1016_B346_A7FD958F5C39.ico

Filesize
24KB

MD5
424dcdf91371ab8d0e78f33ec812ed55

SHA1
766b729ee6510ae9788b7d94934b35be9fd69752

SHA256
812dfa2b5e7c1a1f87a5c56d78092d2ab1c520cf3f9a63565497c3b160645d09

SHA512
20a573f344a6e8cad0b648a5368691030cbfee18c541893590d198a692d582b850c72e18e322ac9de24c39e000ea0716b16a82747f1d41b7a8eeb164759d5376

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
cf9e7a81d64c11d4e4925ebaaa24e9c7

SHA1
9ff3e0f2dcd57a41a5340e47c7d326fca2792ecc

SHA256
38d0df38d974b434c21fd64b502fb2ecfd2660304e9c37a1980210d85cd530fb

SHA512
c556762ff769b2d290b49f9f63841f639ddd0fd0ae164b99dc3411e60728c89ead118e427d980949ce8fe2c3175dda1f0c2cd179f6fd8686de47a24280a5a9de

Download Submit
\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f5f3bd91-07a8-48fd-8c97-1571eed34002}_OnDiskSnapshotProp

Filesize
6KB

MD5
8d0f692dd86aa2419441a9f6215a87ac

SHA1
bcafc20a0975931cf0b29cb3f69a40e59d401684

SHA256
abf24396c7865837a398f826d01d142095ff5ed886e47e0ba0bdb733092b1864

SHA512
2e8064b6e3286012265bde1e7f0afd880abce8de7d77036878732be7232ceb7cedd3bdcbbc03f1eee97a17ef580622e8b10770e1498c823c12830408d214605b

Download Submit
memory/224-43-0x0000000002810000-0x0000000002845000-memory.dmp

Filesize
212KB

Download
memory/1408-23-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download