Resubmissions

02/03/2024, 16:23

240302-tvvw9sfc38 8

02/03/2024, 16:17

240302-trpk3sfb89 8

Analysis

  • max time kernel
    117s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 16:17

General

  • Target

    Cloudflare_WARP_Release-x64.msi

  • Size

    109.6MB

  • MD5

    bba4a02e6ad578bde6679fa7e977911a

  • SHA1

    f2c44930f067664fbd1f502e967afe7c7f8d66b7

  • SHA256

    960e275a907869b33fbf67b009436ed651b6e8361f25cdf1dc8fd2b3d8a86e0f

  • SHA512

    34421e7c28434bf3be9a1b1d5ac169dfb2b79720e1ccd7755871776ae1cfe913f9a3a7fa66187a07caceef62f14ba05a43b9426c5fb355c4839a83210dc5eb24

  • SSDEEP

    1572864:hbDqkhgm+LM8MSCYZO6ZVlcKUA++MEjcCBf+obawM833f+ONif/pwwXsrjY4Ojct:YpClSR/BfxVN2Oof/pwXGjcKm61bkn

Score
8/10

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 26 IoCs
  • Executes dropped EXE 1 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 17 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Cloudflare_WARP_Release-x64.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:5028
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2916
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3240
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding A865C615FCD603E0BEC2BD534DCD9E17
        2⤵
        • Loads dropped DLL
        PID:540
        • C:\Windows\system32\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIF5D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240652343 2 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.ReadCmdLineParams
          3⤵
          • Drops file in Windows directory
          • Loads dropped DLL
          PID:4196
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 2073629837F52E435723C54C958C68C5
        2⤵
        • Loads dropped DLL
        PID:3204
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 8454FDCEFEE20BE6D290A6562D45D8F4 E Global\MSI0000
        2⤵
        • Loads dropped DLL
        PID:3664
        • C:\Windows\system32\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSI29CE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240658968 32 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.InstallService
          3⤵
          • Drops file in Windows directory
          • Loads dropped DLL
          PID:3156
          • C:\Windows\system32\sc.exe
            "sc.exe" create CloudflareWARP binPath= "\"C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe"\" displayname= "Cloudflare WARP" start= "auto"
            4⤵
            • Launches sc.exe
            PID:3876
          • C:\Windows\system32\sc.exe
            "sc.exe" config CloudflareWARP depend= "wlansvc"
            4⤵
            • Launches sc.exe
            PID:1588
          • C:\Windows\system32\sc.exe
            "sc.exe" failure CloudflareWARP reset= 86400 actions= restart/0/restart/1000/restart/5000
            4⤵
            • Launches sc.exe
            PID:60
          • C:\Windows\system32\sc.exe
            "sc.exe" failureflag CloudflareWARP 1
            4⤵
            • Launches sc.exe
            PID:2856
          • C:\Windows\system32\sc.exe
            "sc.exe" config CloudflareWARP start=AUTO
            4⤵
            • Launches sc.exe
            PID:2280
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding D518FD4891DB2A1073C792258AE64E53 E Global\MSI0000
        2⤵
        • Loads dropped DLL
        PID:968
      • C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe
        "C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:2548
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3128
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffca6a29758,0x7ffca6a29768,0x7ffca6a29778
        2⤵
          PID:3648
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:2
          2⤵
            PID:852
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:8
            2⤵
              PID:4520
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2132 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:8
              2⤵
                PID:3144
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2648 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:1
                2⤵
                  PID:3156
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2656 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:1
                  2⤵
                    PID:3664
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4620 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:1
                    2⤵
                      PID:1372
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:8
                      2⤵
                        PID:3288
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5176 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:8
                        2⤵
                          PID:4776
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:8
                          2⤵
                            PID:4248
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4828 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:1
                            2⤵
                              PID:1008
                          • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                            "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                            1⤵
                              PID:3344
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                              1⤵
                                PID:3980
                              • C:\Windows\system32\werfault.exe
                                werfault.exe /hc /shared Global\d64b2185fd4f45d28a6d271075389bbe /t 4076 /p 4040
                                1⤵
                                  PID:5924
                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                  1⤵
                                  • Modifies registry class
                                  • Suspicious use of SetWindowsHookEx
                                  PID:836
                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                  1⤵
                                    PID:3348
                                  • C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe
                                    "C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"
                                    1⤵
                                      PID:5292
                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                      1⤵
                                        PID:5588
                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                        1⤵
                                          PID:2856
                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                          1⤵
                                            PID:3156

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Config.Msi\e58080b.rbs

                                                  Filesize

                                                  138KB

                                                  MD5

                                                  002ffce4c59b17bfde832867e49c4d01

                                                  SHA1

                                                  a9f86911b4084a088b9868944a83b92d4bbddb1b

                                                  SHA256

                                                  995aa115cf6acc9446c0b5d5ef3f187dccc7b71240c12a868a2059eb19dc3468

                                                  SHA512

                                                  0a5fc3aafba2358f564435215de728d9fac844a77526e9ba322f493022a984beb5ba7340ddd8e3a69903085d71261c439c8c82fce081bfac7da5644e03993379

                                                • C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

                                                  Filesize

                                                  6.7MB

                                                  MD5

                                                  bd63b42a6425c9bf3e99da58c35d5566

                                                  SHA1

                                                  54de65b83883491842142a07ab66f29e45d96054

                                                  SHA256

                                                  fe0eb5f110e7cbcb964e6664ba6ec4fcec06dfd0d5c1044a70392cef0a9dfe9a

                                                  SHA512

                                                  8370debd223f2d460790ea45e8777c22473b78c79d4b2cc7ae4058b3ee97c268f3442ef964f1eb056b3c884e1e86caec45f712ad6b328ef30cb76ec12c0f8d50

                                                • C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

                                                  Filesize

                                                  4.9MB

                                                  MD5

                                                  ef74e9d7429509ddd5a87c5934db76d7

                                                  SHA1

                                                  9b073e7bd54522ebe8701b88e2814ab84f94b93a

                                                  SHA256

                                                  edd83771d0a9a8b75f0bbcd06fe37762540ca01dd93f70e279b39ac28e97ad97

                                                  SHA512

                                                  2f869a9d26a151bdd4297cd2f96159c004ec2864f55a4f4fec0184bb4cb9520bee5c3277bf5240a0626802cc4283af71788721164b20300acd45b8477747540f

                                                • C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

                                                  Filesize

                                                  4.6MB

                                                  MD5

                                                  27abc373573847cbc6211c49832740c7

                                                  SHA1

                                                  39537891f5c373286a03d257e56e206163eced45

                                                  SHA256

                                                  a473e3882d233069a14bc579aee9da8a41a31a9d520024a39fe3143ff847d171

                                                  SHA512

                                                  5f0b942fd2242f42342fd444c60da61564f7c84e22d9b6d3be0b94bfb5cfa94541588f4d9c450cb8e74b3c585d770a1eed4ceb038ef26cea6aac7c6572817451

                                                • C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

                                                  Filesize

                                                  3.2MB

                                                  MD5

                                                  f6024a8d7213d584c2fdccfc201cf78b

                                                  SHA1

                                                  c00de9df3b2c43a8e74ca13741c64cc941f493f0

                                                  SHA256

                                                  507623bf54f1a2c872d965b0b6245c5ee868f252ce241d0b94be4a4128023f91

                                                  SHA512

                                                  2591194bd2d733144d4f93c71b867c3452b7a4e1797b5b94ff23d305b580d2851c0ab02f082737d4106e9c51d1249f800414c93aff1dd67cb8b230f4a2436b3b

                                                • C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.DLL

                                                  Filesize

                                                  3.1MB

                                                  MD5

                                                  73e9dfeaaa2bc6d2448708dc7388febf

                                                  SHA1

                                                  cf0dff6a1c3afb8f2f37de5805d42bbf78eddc7b

                                                  SHA256

                                                  a499c94a6ca3ccdd35262fcf5e4f515e07a5123714b23abdf94c510a4d2b7ba5

                                                  SHA512

                                                  87ce21c088254fae51a3e358f4ceb1c120136956bba7c58131cf10121ee54b5061c3a79e2acfde3c7d591df52ce50a7229178db38066cc2b5184d9e7835e56b3

                                                • C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.dll

                                                  Filesize

                                                  2.7MB

                                                  MD5

                                                  adddf910835a925fbdafc06efb6033c4

                                                  SHA1

                                                  4812382fea0cdc5c4b14ea6a71d065190243060c

                                                  SHA256

                                                  74990955440da7f36eca8344d926c2682497941d276cf3b5798d663994af4b30

                                                  SHA512

                                                  4f3cc3bcfda07927204e4c830b3a0c364f874d8a18e277ea9186a8d3d5b3f25c29a6bfcfcfada763428ff394e28a3eb4182bac9d0dde74af69b5795475e0bb90

                                                • C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.dll

                                                  Filesize

                                                  3.4MB

                                                  MD5

                                                  074005c6fad60027e985a510728a9d4f

                                                  SHA1

                                                  c5079d80b7e4aa603e16fd6f6d4214f5381d5ee7

                                                  SHA256

                                                  1ccf83e0e4ec5ed048c552601d9844f9136cecad6294f7456a278694cf83919c

                                                  SHA512

                                                  74059bb12f7146dfc2b5d5616b99db46ef9f70a17a3056bd9b08923de64f429c04e611352f013319ecf004a76c9e7a2abcac6d79f4210f63122163be21d34df4

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_83EE79D1FEE086A5198EA6E5637C35C8

                                                  Filesize

                                                  727B

                                                  MD5

                                                  79da8942eab812340192032f51c93e65

                                                  SHA1

                                                  6bef259c97f0ff2bf779f1278399123b9a94b264

                                                  SHA256

                                                  97010ba4a610397fbc97dfb11d0072f6b4a94f5b04aa793bcdec00f5ecedeeb9

                                                  SHA512

                                                  652d453b57f5e0411b1d3e05a6c0ca9a491c76d056700cd155b95ed095cec77dfaf7517a71deb1ace0b7e3ad6c88c5a5d53c29f10e38ae4dcb70665b7a44ba2d

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_83EE79D1FEE086A5198EA6E5637C35C8

                                                  Filesize

                                                  412B

                                                  MD5

                                                  80de5b279f1a890eed43841ae0afd7e4

                                                  SHA1

                                                  e85790cdd37b6938449ec9189bd604903e3b8e14

                                                  SHA256

                                                  04df1a91b07f933e442ce8e25b90ee0d860c8941b4d6770fef82ccc3c928ccf9

                                                  SHA512

                                                  f49b87f34fe58773ecfc048e8e39d0c228f1cb157422af30004b562f7991f7ae20734d0a9a7745cc0baffac0f2d11adc633d018062e0ccb284c879d6f13f163c

                                                • C:\Users\Admin\AppData\Local\Cloudflare\WARP-GUI.log

                                                  Filesize

                                                  2KB

                                                  MD5

                                                  7b8ef874c255621d87a85b9ee3787eff

                                                  SHA1

                                                  6f3373393ce57939b67a139fce9ddaf4b2f13edd

                                                  SHA256

                                                  bc7bd50f487ac63475be0019e6ca1a47ed70b34a1caf38ec3a3ef321e16db871

                                                  SHA512

                                                  8db2ced668bbe53e0db29997a2184762ce3019f441e7eaee07263e0f826d67c8f58f4d397784e770c60a1177007a34894f4c4261e267f137ef24325558de3732

                                                • C:\Users\Admin\AppData\Local\Cloudflare\ipc.log

                                                  Filesize

                                                  274B

                                                  MD5

                                                  dc513e1345d8013635fb7766715bade6

                                                  SHA1

                                                  a6a340106b06c18c3c4e79dfe735af07547f62ba

                                                  SHA256

                                                  2f0645af001e162e340dc71b071e4a50e15f4cbf15f11c1b8d5f78e00b3daacf

                                                  SHA512

                                                  4ba6ea2b63822b10671d7ef64a05b19636c14f8718117dbbef1ae905f0cc81846006a706912f25b592b5a40bb7e72f14f5fb244243d73a061226e6c305dd1be8

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

                                                  Filesize

                                                  195KB

                                                  MD5

                                                  89d79dbf26a3c2e22ddd95766fe3173d

                                                  SHA1

                                                  f38fd066eef4cf4e72a934548eafb5f6abb00b53

                                                  SHA256

                                                  367ef9ec8dc07f84fed51cac5c75dc1ac87688bbf8f5da8e17655e7917bd7b69

                                                  SHA512

                                                  ab7ce168e6f59e2250b82ec62857c2f2b08e5a548de85ac82177ac550729287ead40382a7c8a92fbce7f53b106d199b1c8adbb770e47287fc70ea0ea858faba6

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                  Filesize

                                                  168B

                                                  MD5

                                                  2044cb76a7cfdbbf723a5e19dca2afa7

                                                  SHA1

                                                  74fe0ef20731144a86a0567b3cf4fc6fbfe89e4d

                                                  SHA256

                                                  029ae79efb7988c9e2b9ec0f129e5385676da6ec1bf173d9e29ec8aca3521969

                                                  SHA512

                                                  0a2a9ada083eeeeb1d623a73d5fbee68528598773016df3bc4489fbffb5e3df40bc542f0dcc2667f35dbe8180923e5ab01074a3d64ee0d9ee9a1cdef2d18c613

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  d37245c35d7da702b2e4cfe026ccdd47

                                                  SHA1

                                                  51bd3f050377f02dc4ef637cf06ddfeb94215cd1

                                                  SHA256

                                                  afdd625b8ef01ec30ce9f784101e39ca5ffcad589be3b3fd21ee1fb8b099db7b

                                                  SHA512

                                                  6e4285f5f5d239852a277df08ab00f0215e887422bb0ab1b96d89bffb0a2756373b1b23f558e00e2290e4f376a84a8a3fe75c214296f228c7ffd68b7d4c15d80

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                  Filesize

                                                  371B

                                                  MD5

                                                  52355752d2f005cd6fa94ac8997a2ec0

                                                  SHA1

                                                  dba48f0e6c9b0cb10f9feab3a7610268a1ba1ccd

                                                  SHA256

                                                  c80ddbd73e0bb68e224a32cfe74a4dac8d4a8e0e88a18f0cadd2dad7fe18650f

                                                  SHA512

                                                  760f81d58f1af6bd24155bca0aca32c3b56d90479413771fb441a24412b920680da72a60dc0987f9f58e8b0f00f013f2d51025ec9f184f1c1841490dd20cacac

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                  Filesize

                                                  6KB

                                                  MD5

                                                  ba6733249647703ef5a93b358e382856

                                                  SHA1

                                                  34de2c55ab0cb54c5fa554c7c89e41864ccb7c0a

                                                  SHA256

                                                  f7ec9f0dfd2d1e63ed918f63d4a5a43a428c978903f7008778d7dc43682b297e

                                                  SHA512

                                                  076742f8cbbd771eb0c3dd96f611da3871ef9c09a1c471c092bc29f0225ac998e1cfc798c1a6d9bd27085cd91ec5a80ec18f8bb4834050e13c36b1906d1a6b6d

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                  Filesize

                                                  6KB

                                                  MD5

                                                  efcc8b952e031fb30cc80b7d446352fe

                                                  SHA1

                                                  91a84549abeffde73013215474124c1495fc09c4

                                                  SHA256

                                                  0d6a7585f14d1800974888dd0f4b208e2d9e843728350e9af2807a5cd051dcac

                                                  SHA512

                                                  2274dc4777cebfe3b74896551de0afa09011797f87f492fd2de62662edd988c5a3e3452449d23b0023b3386d6ff9ae3dfdfb4a02cc1954816c531a43ca5b10c5

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                  Filesize

                                                  6KB

                                                  MD5

                                                  8b464bcef586f843dc568259f8fa82f7

                                                  SHA1

                                                  426c971ba5e5fd9a4d1cc25e01c29f272536c79f

                                                  SHA256

                                                  9cd8d2ea8122f247e45d5bd8871169f213d04d791b292d492d74b12a49247c63

                                                  SHA512

                                                  d75d5b15d0e0f27be1af89c8325ac79826f20bbf4dd2b3a524d9175da5f83f532c573a5a0182f1fd3c12889e9f863a21e57d7e18686771e01fcee24689453b6f

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                  Filesize

                                                  15KB

                                                  MD5

                                                  43f8796d258f9fbf1662461372bc145e

                                                  SHA1

                                                  06a253bf5082480107405d59b07d67b755125b10

                                                  SHA256

                                                  64b5a589ca0325a29e018f646144474c447ea0e5490d6a0a0ed823f45a181bfd

                                                  SHA512

                                                  b4ef3886e8114282be6952ea3b5d03ff93f294ba9def8040dd3b401cb8e202b899ddf0af9681593842f3f43a13ff8e2ed0f0e99d113734359bd85bbd4e63ea1f

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                  Filesize

                                                  254KB

                                                  MD5

                                                  c3fd670305f29e4f422fd016a8d88eb8

                                                  SHA1

                                                  fe32147f7badac904f7558e95ba2e319044f5cfa

                                                  SHA256

                                                  de5173ae5fdb373af94e46f92c957ad4b8d975a2f0af10c183d3f77850cdd216

                                                  SHA512

                                                  ecdd65957b61df0e119ca3f21752f248df540cddf9cce3bb018b31fd650d886abdb8c562352b85b618c637d7f78ac1f1571bc609a9c081081a6520bbdee7c18f

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                                  Filesize

                                                  2B

                                                  MD5

                                                  99914b932bd37a50b983c5e7c90ae93b

                                                  SHA1

                                                  bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                                  SHA256

                                                  44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                                  SHA512

                                                  27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

                                                  Filesize

                                                  737B

                                                  MD5

                                                  5727da8319619d065c7a43f9a7322529

                                                  SHA1

                                                  aacdde2f71d8c9f3993614bfed0d5ce754c2138f

                                                  SHA256

                                                  ab68e7ac87c905042b3ff21ea1e50b1eb48666b8e4834fd42c51295e879a9572

                                                  SHA512

                                                  35d9459254824a051d94f3eba1151e49a8919a924c7a32ba2a6d3a40e29c0e43412e36d4629fe425112e434975367e12edda84f76b7325ac643f0a595d232e16

                                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133538700440186960.txt

                                                  Filesize

                                                  75KB

                                                  MD5

                                                  af6b6cf76f390e41615eac09c4759d9a

                                                  SHA1

                                                  fa825f1687429384504f1de30977296177148d40

                                                  SHA256

                                                  2c4832f2a3b0a44248dcd5fc9511159aa16c436090bf9bf813eb62acc8007016

                                                  SHA512

                                                  bb522a283d1ddd795cda1164efb7882aff5ba0dc8d9ee5e841b425838edea521852d842477eaee2e07b2eb554799e1df276b62615b496e7c56f72a390be19ffe

                                                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\SL9YLD9N\microsoft.windows[1].xml

                                                  Filesize

                                                  97B

                                                  MD5

                                                  bb7934efe1e99dde2a4be53178ce8fd7

                                                  SHA1

                                                  49e6b2f364b597c34832d1878259d5eb671f21a4

                                                  SHA256

                                                  11904522eefd80ce753b37f72e745a251ea2a9bd65cbccbc8993944280db3426

                                                  SHA512

                                                  23ae797546cd1b9884c23e593c371e99ec872b54d5f0856729137ad78507e6e120de7bc75aa7dd7c7556217a628bcf8824175ea0982d6c3236cd22b15455c1d6

                                                • C:\Users\Admin\AppData\Local\Temp\.net\Cloudflare WARP\bJ0iwigOeLveb0qYWU7CnC9W0WB96G0=\PresentationNative_cor3.dll

                                                  Filesize

                                                  1.2MB

                                                  MD5

                                                  607039b9e741f29a5996d255ae7ea39f

                                                  SHA1

                                                  9ea6ef007bee59e05dd9dd994da2a56a8675a021

                                                  SHA256

                                                  be81804da3077e93880b506e3f3061403ce6bf9ce50b9c0fcc63bb50b4352369

                                                  SHA512

                                                  0766c98228f6ccc907674e3b9cebe64eee234138b8d3f00848433388ad609fa38d17a961227e683e92241b163aa30cf06708a458f2bc4d3704d5aa7a7182ca50

                                                • C:\Users\Admin\AppData\Local\Temp\MSI76d7f.LOG

                                                  Filesize

                                                  36KB

                                                  MD5

                                                  d2b6d5222fe6ec1ebd4493a32aefa30a

                                                  SHA1

                                                  d028a9a44f82c816667d5751add6eef6714480ae

                                                  SHA256

                                                  c88ef71e12f6924037f8bbf277edd86e2dd52568e7488750f4d64fa85ca10e8b

                                                  SHA512

                                                  6ea913cdaf2d69fd667385588d35ed32aaff403f9aee7d4d15f7f77fbaa1634059bac072e6f46d0cb30d40f9854d801954ae6ff7695665e10894e958f7951d9c

                                                • C:\Windows\Installer\MSI174E.tmp

                                                  Filesize

                                                  127KB

                                                  MD5

                                                  93394d2866590fb66759f5f0263453f2

                                                  SHA1

                                                  2f0903d4b21a0231add1b4cd02e25c7c4974da84

                                                  SHA256

                                                  5c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b

                                                  SHA512

                                                  f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622

                                                • C:\Windows\Installer\MSI29CE.tmp-\CustomAction.config

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  01c01d040563a55e0fd31cc8daa5f155

                                                  SHA1

                                                  3c1c229703198f9772d7721357f1b90281917842

                                                  SHA256

                                                  33d947c04a10e3aff3dca3b779393fa56ce5f02251c8cbae5076a125fdea081f

                                                  SHA512

                                                  9c3f0cc17868479575090e1949e31a688b8c1cdfa56ac4a08cbe661466bb40ecfc94ea512dc4b64d5ff14a563f96f1e71c03b6eeacc42992455bd4f1c91f17d5

                                                • C:\Windows\Installer\MSI29CE.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                  Filesize

                                                  179KB

                                                  MD5

                                                  1a5caea6734fdd07caa514c3f3fb75da

                                                  SHA1

                                                  f070ac0d91bd337d7952abd1ddf19a737b94510c

                                                  SHA256

                                                  cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

                                                  SHA512

                                                  a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

                                                • C:\Windows\Installer\MSI3682.tmp

                                                  Filesize

                                                  211KB

                                                  MD5

                                                  a3ae5d86ecf38db9427359ea37a5f646

                                                  SHA1

                                                  eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

                                                  SHA256

                                                  c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

                                                  SHA512

                                                  96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

                                                • C:\Windows\Installer\MSIF5D.tmp

                                                  Filesize

                                                  501KB

                                                  MD5

                                                  79d36f854e69d96831900896f1fbf37f

                                                  SHA1

                                                  45a5925cd560d5ed0a46e93e34de99d7f749a52b

                                                  SHA256

                                                  fcf0603193be0b8c576ec326d6b1ad648cbfec5edef31c6649b31ce37335efbf

                                                  SHA512

                                                  9e401338bc7196c0595099a44d8df5ca24e2691aa2bfae4457106aac4003c119d57f8f2a276689ab3984d24dcfd48ead88c544cb5205af531810f8e274f4ae88

                                                • C:\Windows\Installer\MSIF5D.tmp-\Common.dll

                                                  Filesize

                                                  15KB

                                                  MD5

                                                  526d309cf201e07fd8f57e93c1721e90

                                                  SHA1

                                                  4163868aef223f6dfd6bcf81df81d2f1579e8a64

                                                  SHA256

                                                  aab7d3d7caf3bd91f7d1af666cb147c432348060b14e14fdf2b57a415cc4cc16

                                                  SHA512

                                                  8c69d50c8842189d397fdd430eef8785c9a7ddb7f38cc451ff1f33f39a2f61683eb79ed75cf796e287c1970c93e55714658673dc663a1aa1cbcb6a7c25014981

                                                • C:\Windows\Installer\MSIF5D.tmp-\Warp.Installer.Actions.dll

                                                  Filesize

                                                  21KB

                                                  MD5

                                                  e741e1de9e2ddd5d7c54cd8db93a8a1c

                                                  SHA1

                                                  5f87db8d4405af97acda2b12e01f55186fcd8015

                                                  SHA256

                                                  06a1ab4342d09f0fb53a8811c8d7c0ad12c7aaf0b35665a353f787381e359128

                                                  SHA512

                                                  721f637d228793b3fd16ab8713b699e4ace1181f8f677a829b64ba14cd9cac5d04462042e6a588018a7fc236e5538e70c464f1d215a9005c3e47e414b6f25718

                                                • C:\Windows\Installer\e58080a.msi

                                                  Filesize

                                                  4.4MB

                                                  MD5

                                                  ecdbb26397c45ce15ca4cb788dab3fdc

                                                  SHA1

                                                  4ab70f044f9b3778db4471d35d974cd7136b3a1e

                                                  SHA256

                                                  9dc890968167a67976e4260f12fc311897f2c299a13168ca734024a97cb50e35

                                                  SHA512

                                                  8efbd060a9cbdc4aef2ee12aea55aebf0d2f98e86b422a264e76673e2aef25642c16fcf92e1296196be862b938bfd1addd273f5c4e50a0b2938fe686eb3b1fdf

                                                • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

                                                  Filesize

                                                  6.0MB

                                                  MD5

                                                  b047c75bd7e3ee97334a53ca581eb28e

                                                  SHA1

                                                  0eba86ae8b906848d77564cf0ee17c45bc28efcd

                                                  SHA256

                                                  5d0b662c1874e96ac29c51b30d0ea50010390ce6ec26f5e611704931b0828f3f

                                                  SHA512

                                                  f4552880f6ef8c90577d986a4959de85ed5c11cd606a229dd486260d22a4c32b76b6aa88e02ee2c1ae4f8c3ce8df5a4ee2cc185d24c7bfa5fb9d9872e295e0e6

                                                • \??\Volume{e992337d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ef81b0d0-d94c-4542-805b-95a4088089c6}_OnDiskSnapshotProp

                                                  Filesize

                                                  6KB

                                                  MD5

                                                  0488d7b4fd75a4e8ce65a0f406821759

                                                  SHA1

                                                  ff51a717f18950d5aed83fb2c1e62c8327de5d62

                                                  SHA256

                                                  32e0859861b13219cb450c630da098069e77d9aecc816666447c5d94ceb8508c

                                                  SHA512

                                                  2cbca4bc9f1a60f14faf20f185d91bc90bdc0e4291831a85138501ec52060ec7f129b9dd7091be95807959430e16f98c71a068664df5265d947820956148e7ff

                                                • memory/2548-243-0x0000000180000000-0x0000000180A25000-memory.dmp

                                                  Filesize

                                                  10.1MB

                                                • memory/2548-300-0x00000170B6500000-0x00000170B6514000-memory.dmp

                                                  Filesize

                                                  80KB

                                                • memory/2548-249-0x00007FF6407F0000-0x00007FF641163000-memory.dmp

                                                  Filesize

                                                  9.4MB

                                                • memory/2548-250-0x00000170B5810000-0x00000170B5892000-memory.dmp

                                                  Filesize

                                                  520KB

                                                • memory/2548-253-0x00000170B5780000-0x00000170B57C7000-memory.dmp

                                                  Filesize

                                                  284KB

                                                • memory/2548-256-0x0000017093820000-0x0000017093832000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2548-259-0x00000170B6ED0000-0x00000170B7E58000-memory.dmp

                                                  Filesize

                                                  15.5MB

                                                • memory/2548-262-0x00000170B5F40000-0x00000170B6168000-memory.dmp

                                                  Filesize

                                                  2.2MB

                                                • memory/2548-266-0x00000170B6170000-0x00000170B62CE000-memory.dmp

                                                  Filesize

                                                  1.4MB

                                                • memory/2548-269-0x00000170938D0000-0x00000170938FA000-memory.dmp

                                                  Filesize

                                                  168KB

                                                • memory/2548-272-0x0000017093890000-0x00000170938A3000-memory.dmp

                                                  Filesize

                                                  76KB

                                                • memory/2548-275-0x00000170938B0000-0x00000170938B7000-memory.dmp

                                                  Filesize

                                                  28KB

                                                • memory/2548-278-0x00000170B57D0000-0x00000170B5810000-memory.dmp

                                                  Filesize

                                                  256KB

                                                • memory/2548-281-0x00000170B62D0000-0x00000170B64F3000-memory.dmp

                                                  Filesize

                                                  2.1MB

                                                • memory/2548-284-0x0000017093860000-0x0000017093865000-memory.dmp

                                                  Filesize

                                                  20KB

                                                • memory/2548-287-0x00000170938C0000-0x00000170938C9000-memory.dmp

                                                  Filesize

                                                  36KB

                                                • memory/2548-290-0x00000170B5910000-0x00000170B594E000-memory.dmp

                                                  Filesize

                                                  248KB

                                                • memory/2548-294-0x0000017093850000-0x0000017093858000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2548-297-0x0000017093900000-0x000001709390E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/2548-246-0x00000170B5B60000-0x00000170B5F3D000-memory.dmp

                                                  Filesize

                                                  3.9MB

                                                • memory/2548-303-0x00000170B58E0000-0x00000170B58EB000-memory.dmp

                                                  Filesize

                                                  44KB

                                                • memory/2548-306-0x00000170B6570000-0x00000170B65B4000-memory.dmp

                                                  Filesize

                                                  272KB

                                                • memory/2548-309-0x00000170B9870000-0x00000170BA0B2000-memory.dmp

                                                  Filesize

                                                  8.3MB

                                                • memory/2548-549-0x00007FF6407F0000-0x00007FF641163000-memory.dmp

                                                  Filesize

                                                  9.4MB

                                                • memory/3156-160-0x00000228A6B90000-0x00000228A6BA0000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/3156-155-0x00000228A6B90000-0x00000228A6BA0000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/3156-159-0x00000228A6B90000-0x00000228A6BA0000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/3156-154-0x00000228A6B90000-0x00000228A6BA0000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/3156-153-0x00007FFCA3900000-0x00007FFCA43C1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/3156-174-0x00007FFCA3900000-0x00007FFCA43C1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/4196-101-0x00007FFCA3900000-0x00007FFCA43C1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/4196-82-0x000001592BCB0000-0x000001592BCB8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/4196-565-0x00007FFCA3900000-0x00007FFCA43C1000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/4196-85-0x000001592BD10000-0x000001592BD2A000-memory.dmp

                                                  Filesize

                                                  104KB

                                                • memory/4196-78-0x000001592BCA0000-0x000001592BCAA000-memory.dmp

                                                  Filesize

                                                  40KB

                                                • memory/4196-73-0x000001592BCC0000-0x000001592BCEE000-memory.dmp

                                                  Filesize

                                                  184KB

                                                • memory/5292-570-0x00007FF6407F0000-0x00007FF641163000-memory.dmp

                                                  Filesize

                                                  9.4MB

                                                • memory/5292-866-0x00007FF6407F0000-0x00007FF641163000-memory.dmp

                                                  Filesize

                                                  9.4MB