Analysis
-
max time kernel
117s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 16:17
Static task
static1
Behavioral task
behavioral1
Sample
Cloudflare_WARP_Release-x64.msi
Resource
win10v2004-20240226-en
General
-
Target
Cloudflare_WARP_Release-x64.msi
-
Size
109.6MB
-
MD5
bba4a02e6ad578bde6679fa7e977911a
-
SHA1
f2c44930f067664fbd1f502e967afe7c7f8d66b7
-
SHA256
960e275a907869b33fbf67b009436ed651b6e8361f25cdf1dc8fd2b3d8a86e0f
-
SHA512
34421e7c28434bf3be9a1b1d5ac169dfb2b79720e1ccd7755871776ae1cfe913f9a3a7fa66187a07caceef62f14ba05a43b9426c5fb355c4839a83210dc5eb24
-
SSDEEP
1572864:hbDqkhgm+LM8MSCYZO6ZVlcKUA++MEjcCBf+obawM833f+ONif/pwwXsrjY4Ojct:YpClSR/BfxVN2Oof/pwXGjcKm61bkn
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Blocklisted process makes network request 1 IoCs
flow pid Process 18 5028 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\Cloudflare\Cloudflare WARP\warp-cli.exe msiexec.exe File created C:\Program Files\Cloudflare\Cloudflare WARP\warp-dex.exe msiexec.exe File created C:\Program Files\Cloudflare\Cloudflare WARP\warp-diag.exe msiexec.exe File created C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe msiexec.exe File created C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.dll msiexec.exe File created C:\Program Files\Cloudflare\Cloudflare WARP\wintun.dll msiexec.exe File created C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe msiexec.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI29CE.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\e58080a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF5D.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\e58080a.msi msiexec.exe File created C:\Windows\Installer\{50B8AC35-9A36-4A30-8D87-C7F6D9A86C16}\icon.ico msiexec.exe File opened for modification C:\Windows\Installer\MSI174E.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI29CE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3682.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI1B37.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI29CE.tmp-\Warp.Installer.Actions.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI29CE.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\{50B8AC35-9A36-4A30-8D87-C7F6D9A86C16}\icon.ico msiexec.exe File opened for modification C:\Windows\Installer\MSIF5D.tmp-\Warp.Installer.Actions.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIF5D.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI16EF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI29CE.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI2FAB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF5D.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\SourceHash{50B8AC35-9A36-4A30-8D87-C7F6D9A86C16} msiexec.exe File opened for modification C:\Windows\Installer\MSIF5D.tmp-\Common.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI29CE.tmp-\Common.dll rundll32.exe File created C:\Windows\Installer\e58080c.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIF5D.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2548 Cloudflare WARP.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3876 sc.exe 1588 sc.exe 60 sc.exe 2856 sc.exe 2280 sc.exe -
Loads dropped DLL 17 IoCs
pid Process 540 MsiExec.exe 4196 rundll32.exe 4196 rundll32.exe 4196 rundll32.exe 4196 rundll32.exe 4196 rundll32.exe 3204 MsiExec.exe 3204 MsiExec.exe 3664 MsiExec.exe 3156 rundll32.exe 3156 rundll32.exe 3156 rundll32.exe 3156 rundll32.exe 3156 rundll32.exe 968 MsiExec.exe 3204 MsiExec.exe 2548 Cloudflare WARP.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007d3392e9fd415b840000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007d3392e90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007d3392e9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7d3392e9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007d3392e900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133538699650180330" chrome.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe -
Modifies registry class 36 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\ProductName = "Cloudflare WARP" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\MuiCache SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\DefaultIcon\ = "\"C:\\Program Files\\Cloudflare\\Cloudflare WARP\\Cloudflare WARP.exe\", 1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\53CA8B0563A903A4D8787C6F9D8AC661 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Media\2 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open\command\ = "\"C:\\Program Files\\Cloudflare\\Cloudflare WARP\\Cloudflare WARP.exe\" \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\ProductIcon = "C:\\Windows\\Installer\\{50B8AC35-9A36-4A30-8D87-C7F6D9A86C16}\\icon.ico" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\52824FB156B79AC4FAFF7B5B1EEC724B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\PackageCode = "AC33C90352B99FA42B3CE55505D20DBA" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\PackageName = "Cloudflare_WARP_Release-x64.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\53CA8B0563A903A4D8787C6F9D8AC661\ProductFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\Version = "402784443" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\52824FB156B79AC4FAFF7B5B1EEC724B\53CA8B0563A903A4D8787C6F9D8AC661 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\ = "URL:com.cloudflare.warp Protocol" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open\command msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\URL Protocol msiexec.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1404 chrome.exe 1404 chrome.exe 2548 Cloudflare WARP.exe 2548 Cloudflare WARP.exe 2548 Cloudflare WARP.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5028 msiexec.exe Token: SeIncreaseQuotaPrivilege 5028 msiexec.exe Token: SeSecurityPrivilege 2916 msiexec.exe Token: SeCreateTokenPrivilege 5028 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5028 msiexec.exe Token: SeLockMemoryPrivilege 5028 msiexec.exe Token: SeIncreaseQuotaPrivilege 5028 msiexec.exe Token: SeMachineAccountPrivilege 5028 msiexec.exe Token: SeTcbPrivilege 5028 msiexec.exe Token: SeSecurityPrivilege 5028 msiexec.exe Token: SeTakeOwnershipPrivilege 5028 msiexec.exe Token: SeLoadDriverPrivilege 5028 msiexec.exe Token: SeSystemProfilePrivilege 5028 msiexec.exe Token: SeSystemtimePrivilege 5028 msiexec.exe Token: SeProfSingleProcessPrivilege 5028 msiexec.exe Token: SeIncBasePriorityPrivilege 5028 msiexec.exe Token: SeCreatePagefilePrivilege 5028 msiexec.exe Token: SeCreatePermanentPrivilege 5028 msiexec.exe Token: SeBackupPrivilege 5028 msiexec.exe Token: SeRestorePrivilege 5028 msiexec.exe Token: SeShutdownPrivilege 5028 msiexec.exe Token: SeDebugPrivilege 5028 msiexec.exe Token: SeAuditPrivilege 5028 msiexec.exe Token: SeSystemEnvironmentPrivilege 5028 msiexec.exe Token: SeChangeNotifyPrivilege 5028 msiexec.exe Token: SeRemoteShutdownPrivilege 5028 msiexec.exe Token: SeUndockPrivilege 5028 msiexec.exe Token: SeSyncAgentPrivilege 5028 msiexec.exe Token: SeEnableDelegationPrivilege 5028 msiexec.exe Token: SeManageVolumePrivilege 5028 msiexec.exe Token: SeImpersonatePrivilege 5028 msiexec.exe Token: SeCreateGlobalPrivilege 5028 msiexec.exe Token: SeBackupPrivilege 3128 vssvc.exe Token: SeRestorePrivilege 3128 vssvc.exe Token: SeAuditPrivilege 3128 vssvc.exe Token: SeBackupPrivilege 2916 msiexec.exe Token: SeRestorePrivilege 2916 msiexec.exe Token: SeShutdownPrivilege 1404 chrome.exe Token: SeCreatePagefilePrivilege 1404 chrome.exe Token: SeShutdownPrivilege 1404 chrome.exe Token: SeCreatePagefilePrivilege 1404 chrome.exe Token: SeShutdownPrivilege 1404 chrome.exe Token: SeCreatePagefilePrivilege 1404 chrome.exe Token: SeShutdownPrivilege 1404 chrome.exe Token: SeCreatePagefilePrivilege 1404 chrome.exe Token: SeShutdownPrivilege 1404 chrome.exe Token: SeCreatePagefilePrivilege 1404 chrome.exe Token: SeShutdownPrivilege 1404 chrome.exe Token: SeCreatePagefilePrivilege 1404 chrome.exe Token: SeShutdownPrivilege 1404 chrome.exe Token: SeCreatePagefilePrivilege 1404 chrome.exe Token: SeShutdownPrivilege 1404 chrome.exe Token: SeCreatePagefilePrivilege 1404 chrome.exe Token: SeRestorePrivilege 2916 msiexec.exe Token: SeTakeOwnershipPrivilege 2916 msiexec.exe Token: SeShutdownPrivilege 1404 chrome.exe Token: SeCreatePagefilePrivilege 1404 chrome.exe Token: SeRestorePrivilege 2916 msiexec.exe Token: SeTakeOwnershipPrivilege 2916 msiexec.exe Token: SeShutdownPrivilege 1404 chrome.exe Token: SeCreatePagefilePrivilege 1404 chrome.exe Token: SeShutdownPrivilege 1404 chrome.exe Token: SeCreatePagefilePrivilege 1404 chrome.exe Token: SeRestorePrivilege 2916 msiexec.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 5028 msiexec.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 5028 msiexec.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe 1404 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 836 SearchApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1404 wrote to memory of 3648 1404 chrome.exe 99 PID 1404 wrote to memory of 3648 1404 chrome.exe 99 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 852 1404 chrome.exe 100 PID 1404 wrote to memory of 4520 1404 chrome.exe 101 PID 1404 wrote to memory of 4520 1404 chrome.exe 101 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 PID 1404 wrote to memory of 3144 1404 chrome.exe 102 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Cloudflare_WARP_Release-x64.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5028
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2916 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3240
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding A865C615FCD603E0BEC2BD534DCD9E172⤵
- Loads dropped DLL
PID:540 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSIF5D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240652343 2 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.ReadCmdLineParams3⤵
- Drops file in Windows directory
- Loads dropped DLL
PID:4196
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2073629837F52E435723C54C958C68C52⤵
- Loads dropped DLL
PID:3204
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 8454FDCEFEE20BE6D290A6562D45D8F4 E Global\MSI00002⤵
- Loads dropped DLL
PID:3664 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI29CE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240658968 32 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.InstallService3⤵
- Drops file in Windows directory
- Loads dropped DLL
PID:3156 -
C:\Windows\system32\sc.exe"sc.exe" create CloudflareWARP binPath= "\"C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe"\" displayname= "Cloudflare WARP" start= "auto"4⤵
- Launches sc.exe
PID:3876
-
-
C:\Windows\system32\sc.exe"sc.exe" config CloudflareWARP depend= "wlansvc"4⤵
- Launches sc.exe
PID:1588
-
-
C:\Windows\system32\sc.exe"sc.exe" failure CloudflareWARP reset= 86400 actions= restart/0/restart/1000/restart/50004⤵
- Launches sc.exe
PID:60
-
-
C:\Windows\system32\sc.exe"sc.exe" failureflag CloudflareWARP 14⤵
- Launches sc.exe
PID:2856
-
-
C:\Windows\system32\sc.exe"sc.exe" config CloudflareWARP start=AUTO4⤵
- Launches sc.exe
PID:2280
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D518FD4891DB2A1073C792258AE64E53 E Global\MSI00002⤵
- Loads dropped DLL
PID:968
-
-
C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2548
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffca6a29758,0x7ffca6a29768,0x7ffca6a297782⤵PID:3648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:22⤵PID:852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:82⤵PID:4520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2132 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:82⤵PID:3144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2648 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:12⤵PID:3156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2656 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:12⤵PID:3664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4620 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:12⤵PID:1372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:82⤵PID:3288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5176 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:82⤵PID:4776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:82⤵PID:4248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4828 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:12⤵PID:1008
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:3980
-
C:\Windows\system32\werfault.exewerfault.exe /hc /shared Global\d64b2185fd4f45d28a6d271075389bbe /t 4076 /p 40401⤵PID:5924
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:836
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3348
-
C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"1⤵PID:5292
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5588
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2856
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138KB
MD5002ffce4c59b17bfde832867e49c4d01
SHA1a9f86911b4084a088b9868944a83b92d4bbddb1b
SHA256995aa115cf6acc9446c0b5d5ef3f187dccc7b71240c12a868a2059eb19dc3468
SHA5120a5fc3aafba2358f564435215de728d9fac844a77526e9ba322f493022a984beb5ba7340ddd8e3a69903085d71261c439c8c82fce081bfac7da5644e03993379
-
Filesize
6.7MB
MD5bd63b42a6425c9bf3e99da58c35d5566
SHA154de65b83883491842142a07ab66f29e45d96054
SHA256fe0eb5f110e7cbcb964e6664ba6ec4fcec06dfd0d5c1044a70392cef0a9dfe9a
SHA5128370debd223f2d460790ea45e8777c22473b78c79d4b2cc7ae4058b3ee97c268f3442ef964f1eb056b3c884e1e86caec45f712ad6b328ef30cb76ec12c0f8d50
-
Filesize
4.9MB
MD5ef74e9d7429509ddd5a87c5934db76d7
SHA19b073e7bd54522ebe8701b88e2814ab84f94b93a
SHA256edd83771d0a9a8b75f0bbcd06fe37762540ca01dd93f70e279b39ac28e97ad97
SHA5122f869a9d26a151bdd4297cd2f96159c004ec2864f55a4f4fec0184bb4cb9520bee5c3277bf5240a0626802cc4283af71788721164b20300acd45b8477747540f
-
Filesize
4.6MB
MD527abc373573847cbc6211c49832740c7
SHA139537891f5c373286a03d257e56e206163eced45
SHA256a473e3882d233069a14bc579aee9da8a41a31a9d520024a39fe3143ff847d171
SHA5125f0b942fd2242f42342fd444c60da61564f7c84e22d9b6d3be0b94bfb5cfa94541588f4d9c450cb8e74b3c585d770a1eed4ceb038ef26cea6aac7c6572817451
-
Filesize
3.2MB
MD5f6024a8d7213d584c2fdccfc201cf78b
SHA1c00de9df3b2c43a8e74ca13741c64cc941f493f0
SHA256507623bf54f1a2c872d965b0b6245c5ee868f252ce241d0b94be4a4128023f91
SHA5122591194bd2d733144d4f93c71b867c3452b7a4e1797b5b94ff23d305b580d2851c0ab02f082737d4106e9c51d1249f800414c93aff1dd67cb8b230f4a2436b3b
-
Filesize
3.1MB
MD573e9dfeaaa2bc6d2448708dc7388febf
SHA1cf0dff6a1c3afb8f2f37de5805d42bbf78eddc7b
SHA256a499c94a6ca3ccdd35262fcf5e4f515e07a5123714b23abdf94c510a4d2b7ba5
SHA51287ce21c088254fae51a3e358f4ceb1c120136956bba7c58131cf10121ee54b5061c3a79e2acfde3c7d591df52ce50a7229178db38066cc2b5184d9e7835e56b3
-
Filesize
2.7MB
MD5adddf910835a925fbdafc06efb6033c4
SHA14812382fea0cdc5c4b14ea6a71d065190243060c
SHA25674990955440da7f36eca8344d926c2682497941d276cf3b5798d663994af4b30
SHA5124f3cc3bcfda07927204e4c830b3a0c364f874d8a18e277ea9186a8d3d5b3f25c29a6bfcfcfada763428ff394e28a3eb4182bac9d0dde74af69b5795475e0bb90
-
Filesize
3.4MB
MD5074005c6fad60027e985a510728a9d4f
SHA1c5079d80b7e4aa603e16fd6f6d4214f5381d5ee7
SHA2561ccf83e0e4ec5ed048c552601d9844f9136cecad6294f7456a278694cf83919c
SHA51274059bb12f7146dfc2b5d5616b99db46ef9f70a17a3056bd9b08923de64f429c04e611352f013319ecf004a76c9e7a2abcac6d79f4210f63122163be21d34df4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_83EE79D1FEE086A5198EA6E5637C35C8
Filesize727B
MD579da8942eab812340192032f51c93e65
SHA16bef259c97f0ff2bf779f1278399123b9a94b264
SHA25697010ba4a610397fbc97dfb11d0072f6b4a94f5b04aa793bcdec00f5ecedeeb9
SHA512652d453b57f5e0411b1d3e05a6c0ca9a491c76d056700cd155b95ed095cec77dfaf7517a71deb1ace0b7e3ad6c88c5a5d53c29f10e38ae4dcb70665b7a44ba2d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_83EE79D1FEE086A5198EA6E5637C35C8
Filesize412B
MD580de5b279f1a890eed43841ae0afd7e4
SHA1e85790cdd37b6938449ec9189bd604903e3b8e14
SHA25604df1a91b07f933e442ce8e25b90ee0d860c8941b4d6770fef82ccc3c928ccf9
SHA512f49b87f34fe58773ecfc048e8e39d0c228f1cb157422af30004b562f7991f7ae20734d0a9a7745cc0baffac0f2d11adc633d018062e0ccb284c879d6f13f163c
-
Filesize
2KB
MD57b8ef874c255621d87a85b9ee3787eff
SHA16f3373393ce57939b67a139fce9ddaf4b2f13edd
SHA256bc7bd50f487ac63475be0019e6ca1a47ed70b34a1caf38ec3a3ef321e16db871
SHA5128db2ced668bbe53e0db29997a2184762ce3019f441e7eaee07263e0f826d67c8f58f4d397784e770c60a1177007a34894f4c4261e267f137ef24325558de3732
-
Filesize
274B
MD5dc513e1345d8013635fb7766715bade6
SHA1a6a340106b06c18c3c4e79dfe735af07547f62ba
SHA2562f0645af001e162e340dc71b071e4a50e15f4cbf15f11c1b8d5f78e00b3daacf
SHA5124ba6ea2b63822b10671d7ef64a05b19636c14f8718117dbbef1ae905f0cc81846006a706912f25b592b5a40bb7e72f14f5fb244243d73a061226e6c305dd1be8
-
Filesize
195KB
MD589d79dbf26a3c2e22ddd95766fe3173d
SHA1f38fd066eef4cf4e72a934548eafb5f6abb00b53
SHA256367ef9ec8dc07f84fed51cac5c75dc1ac87688bbf8f5da8e17655e7917bd7b69
SHA512ab7ce168e6f59e2250b82ec62857c2f2b08e5a548de85ac82177ac550729287ead40382a7c8a92fbce7f53b106d199b1c8adbb770e47287fc70ea0ea858faba6
-
Filesize
168B
MD52044cb76a7cfdbbf723a5e19dca2afa7
SHA174fe0ef20731144a86a0567b3cf4fc6fbfe89e4d
SHA256029ae79efb7988c9e2b9ec0f129e5385676da6ec1bf173d9e29ec8aca3521969
SHA5120a2a9ada083eeeeb1d623a73d5fbee68528598773016df3bc4489fbffb5e3df40bc542f0dcc2667f35dbe8180923e5ab01074a3d64ee0d9ee9a1cdef2d18c613
-
Filesize
1KB
MD5d37245c35d7da702b2e4cfe026ccdd47
SHA151bd3f050377f02dc4ef637cf06ddfeb94215cd1
SHA256afdd625b8ef01ec30ce9f784101e39ca5ffcad589be3b3fd21ee1fb8b099db7b
SHA5126e4285f5f5d239852a277df08ab00f0215e887422bb0ab1b96d89bffb0a2756373b1b23f558e00e2290e4f376a84a8a3fe75c214296f228c7ffd68b7d4c15d80
-
Filesize
371B
MD552355752d2f005cd6fa94ac8997a2ec0
SHA1dba48f0e6c9b0cb10f9feab3a7610268a1ba1ccd
SHA256c80ddbd73e0bb68e224a32cfe74a4dac8d4a8e0e88a18f0cadd2dad7fe18650f
SHA512760f81d58f1af6bd24155bca0aca32c3b56d90479413771fb441a24412b920680da72a60dc0987f9f58e8b0f00f013f2d51025ec9f184f1c1841490dd20cacac
-
Filesize
6KB
MD5ba6733249647703ef5a93b358e382856
SHA134de2c55ab0cb54c5fa554c7c89e41864ccb7c0a
SHA256f7ec9f0dfd2d1e63ed918f63d4a5a43a428c978903f7008778d7dc43682b297e
SHA512076742f8cbbd771eb0c3dd96f611da3871ef9c09a1c471c092bc29f0225ac998e1cfc798c1a6d9bd27085cd91ec5a80ec18f8bb4834050e13c36b1906d1a6b6d
-
Filesize
6KB
MD5efcc8b952e031fb30cc80b7d446352fe
SHA191a84549abeffde73013215474124c1495fc09c4
SHA2560d6a7585f14d1800974888dd0f4b208e2d9e843728350e9af2807a5cd051dcac
SHA5122274dc4777cebfe3b74896551de0afa09011797f87f492fd2de62662edd988c5a3e3452449d23b0023b3386d6ff9ae3dfdfb4a02cc1954816c531a43ca5b10c5
-
Filesize
6KB
MD58b464bcef586f843dc568259f8fa82f7
SHA1426c971ba5e5fd9a4d1cc25e01c29f272536c79f
SHA2569cd8d2ea8122f247e45d5bd8871169f213d04d791b292d492d74b12a49247c63
SHA512d75d5b15d0e0f27be1af89c8325ac79826f20bbf4dd2b3a524d9175da5f83f532c573a5a0182f1fd3c12889e9f863a21e57d7e18686771e01fcee24689453b6f
-
Filesize
15KB
MD543f8796d258f9fbf1662461372bc145e
SHA106a253bf5082480107405d59b07d67b755125b10
SHA25664b5a589ca0325a29e018f646144474c447ea0e5490d6a0a0ed823f45a181bfd
SHA512b4ef3886e8114282be6952ea3b5d03ff93f294ba9def8040dd3b401cb8e202b899ddf0af9681593842f3f43a13ff8e2ed0f0e99d113734359bd85bbd4e63ea1f
-
Filesize
254KB
MD5c3fd670305f29e4f422fd016a8d88eb8
SHA1fe32147f7badac904f7558e95ba2e319044f5cfa
SHA256de5173ae5fdb373af94e46f92c957ad4b8d975a2f0af10c183d3f77850cdd216
SHA512ecdd65957b61df0e119ca3f21752f248df540cddf9cce3bb018b31fd650d886abdb8c562352b85b618c637d7f78ac1f1571bc609a9c081081a6520bbdee7c18f
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
737B
MD55727da8319619d065c7a43f9a7322529
SHA1aacdde2f71d8c9f3993614bfed0d5ce754c2138f
SHA256ab68e7ac87c905042b3ff21ea1e50b1eb48666b8e4834fd42c51295e879a9572
SHA51235d9459254824a051d94f3eba1151e49a8919a924c7a32ba2a6d3a40e29c0e43412e36d4629fe425112e434975367e12edda84f76b7325ac643f0a595d232e16
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133538700440186960.txt
Filesize75KB
MD5af6b6cf76f390e41615eac09c4759d9a
SHA1fa825f1687429384504f1de30977296177148d40
SHA2562c4832f2a3b0a44248dcd5fc9511159aa16c436090bf9bf813eb62acc8007016
SHA512bb522a283d1ddd795cda1164efb7882aff5ba0dc8d9ee5e841b425838edea521852d842477eaee2e07b2eb554799e1df276b62615b496e7c56f72a390be19ffe
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\SL9YLD9N\microsoft.windows[1].xml
Filesize97B
MD5bb7934efe1e99dde2a4be53178ce8fd7
SHA149e6b2f364b597c34832d1878259d5eb671f21a4
SHA25611904522eefd80ce753b37f72e745a251ea2a9bd65cbccbc8993944280db3426
SHA51223ae797546cd1b9884c23e593c371e99ec872b54d5f0856729137ad78507e6e120de7bc75aa7dd7c7556217a628bcf8824175ea0982d6c3236cd22b15455c1d6
-
C:\Users\Admin\AppData\Local\Temp\.net\Cloudflare WARP\bJ0iwigOeLveb0qYWU7CnC9W0WB96G0=\PresentationNative_cor3.dll
Filesize1.2MB
MD5607039b9e741f29a5996d255ae7ea39f
SHA19ea6ef007bee59e05dd9dd994da2a56a8675a021
SHA256be81804da3077e93880b506e3f3061403ce6bf9ce50b9c0fcc63bb50b4352369
SHA5120766c98228f6ccc907674e3b9cebe64eee234138b8d3f00848433388ad609fa38d17a961227e683e92241b163aa30cf06708a458f2bc4d3704d5aa7a7182ca50
-
Filesize
36KB
MD5d2b6d5222fe6ec1ebd4493a32aefa30a
SHA1d028a9a44f82c816667d5751add6eef6714480ae
SHA256c88ef71e12f6924037f8bbf277edd86e2dd52568e7488750f4d64fa85ca10e8b
SHA5126ea913cdaf2d69fd667385588d35ed32aaff403f9aee7d4d15f7f77fbaa1634059bac072e6f46d0cb30d40f9854d801954ae6ff7695665e10894e958f7951d9c
-
Filesize
127KB
MD593394d2866590fb66759f5f0263453f2
SHA12f0903d4b21a0231add1b4cd02e25c7c4974da84
SHA2565c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b
SHA512f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622
-
Filesize
1KB
MD501c01d040563a55e0fd31cc8daa5f155
SHA13c1c229703198f9772d7721357f1b90281917842
SHA25633d947c04a10e3aff3dca3b779393fa56ce5f02251c8cbae5076a125fdea081f
SHA5129c3f0cc17868479575090e1949e31a688b8c1cdfa56ac4a08cbe661466bb40ecfc94ea512dc4b64d5ff14a563f96f1e71c03b6eeacc42992455bd4f1c91f17d5
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
501KB
MD579d36f854e69d96831900896f1fbf37f
SHA145a5925cd560d5ed0a46e93e34de99d7f749a52b
SHA256fcf0603193be0b8c576ec326d6b1ad648cbfec5edef31c6649b31ce37335efbf
SHA5129e401338bc7196c0595099a44d8df5ca24e2691aa2bfae4457106aac4003c119d57f8f2a276689ab3984d24dcfd48ead88c544cb5205af531810f8e274f4ae88
-
Filesize
15KB
MD5526d309cf201e07fd8f57e93c1721e90
SHA14163868aef223f6dfd6bcf81df81d2f1579e8a64
SHA256aab7d3d7caf3bd91f7d1af666cb147c432348060b14e14fdf2b57a415cc4cc16
SHA5128c69d50c8842189d397fdd430eef8785c9a7ddb7f38cc451ff1f33f39a2f61683eb79ed75cf796e287c1970c93e55714658673dc663a1aa1cbcb6a7c25014981
-
Filesize
21KB
MD5e741e1de9e2ddd5d7c54cd8db93a8a1c
SHA15f87db8d4405af97acda2b12e01f55186fcd8015
SHA25606a1ab4342d09f0fb53a8811c8d7c0ad12c7aaf0b35665a353f787381e359128
SHA512721f637d228793b3fd16ab8713b699e4ace1181f8f677a829b64ba14cd9cac5d04462042e6a588018a7fc236e5538e70c464f1d215a9005c3e47e414b6f25718
-
Filesize
4.4MB
MD5ecdbb26397c45ce15ca4cb788dab3fdc
SHA14ab70f044f9b3778db4471d35d974cd7136b3a1e
SHA2569dc890968167a67976e4260f12fc311897f2c299a13168ca734024a97cb50e35
SHA5128efbd060a9cbdc4aef2ee12aea55aebf0d2f98e86b422a264e76673e2aef25642c16fcf92e1296196be862b938bfd1addd273f5c4e50a0b2938fe686eb3b1fdf
-
Filesize
6.0MB
MD5b047c75bd7e3ee97334a53ca581eb28e
SHA10eba86ae8b906848d77564cf0ee17c45bc28efcd
SHA2565d0b662c1874e96ac29c51b30d0ea50010390ce6ec26f5e611704931b0828f3f
SHA512f4552880f6ef8c90577d986a4959de85ed5c11cd606a229dd486260d22a4c32b76b6aa88e02ee2c1ae4f8c3ce8df5a4ee2cc185d24c7bfa5fb9d9872e295e0e6
-
\??\Volume{e992337d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ef81b0d0-d94c-4542-805b-95a4088089c6}_OnDiskSnapshotProp
Filesize6KB
MD50488d7b4fd75a4e8ce65a0f406821759
SHA1ff51a717f18950d5aed83fb2c1e62c8327de5d62
SHA25632e0859861b13219cb450c630da098069e77d9aecc816666447c5d94ceb8508c
SHA5122cbca4bc9f1a60f14faf20f185d91bc90bdc0e4291831a85138501ec52060ec7f129b9dd7091be95807959430e16f98c71a068664df5265d947820956148e7ff