Malware Analysis Report

2025-08-11 01:06

Sample ID 240302-trpk3sfb89
Target Cloudflare_WARP_Release-x64.msi
SHA256 960e275a907869b33fbf67b009436ed651b6e8361f25cdf1dc8fd2b3d8a86e0f
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

960e275a907869b33fbf67b009436ed651b6e8361f25cdf1dc8fd2b3d8a86e0f

Threat Level: Likely malicious

The file Cloudflare_WARP_Release-x64.msi was found to be: Likely malicious.

Malicious Activity Summary

persistence

Creates new service(s)

Blocklisted process makes network request

Enumerates connected drives

Executes dropped EXE

Drops file in Program Files directory

Launches sc.exe

Loads dropped DLL

Drops file in Windows directory

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Enumerates system info in registry

Checks SCSI registry key(s)

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:17

Reported

2024-03-02 16:21

Platform

win10v2004-20240226-en

Max time kernel

117s

Max time network

155s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Cloudflare_WARP_Release-x64.msi

Signatures

Creates new service(s)

persistence

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Cloudflare\Cloudflare WARP\warp-cli.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Cloudflare\Cloudflare WARP\warp-dex.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Cloudflare\Cloudflare WARP\warp-diag.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Cloudflare\Cloudflare WARP\wintun.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI29CE.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\e58080a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF5D.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\system32\rundll32.exe N/A
File created C:\Windows\Installer\e58080a.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{50B8AC35-9A36-4A30-8D87-C7F6D9A86C16}\icon.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI174E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI29CE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3682.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1B37.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI29CE.tmp-\Warp.Installer.Actions.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI29CE.tmp-\Newtonsoft.Json.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\{50B8AC35-9A36-4A30-8D87-C7F6D9A86C16}\icon.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF5D.tmp-\Warp.Installer.Actions.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF5D.tmp-\Newtonsoft.Json.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI16EF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI29CE.tmp-\CustomAction.config C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI2FAB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF5D.tmp-\CustomAction.config C:\Windows\system32\rundll32.exe N/A
File created C:\Windows\Installer\SourceHash{50B8AC35-9A36-4A30-8D87-C7F6D9A86C16} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF5D.tmp-\Common.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI29CE.tmp-\Common.dll C:\Windows\system32\rundll32.exe N/A
File created C:\Windows\Installer\e58080c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF5D.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007d3392e9fd415b840000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007d3392e90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007d3392e9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7d3392e9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007d3392e900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133538699650180330" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\ProductName = "Cloudflare WARP" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\DefaultIcon\ = "\"C:\\Program Files\\Cloudflare\\Cloudflare WARP\\Cloudflare WARP.exe\", 1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\53CA8B0563A903A4D8787C6F9D8AC661 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Media\2 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open\command\ = "\"C:\\Program Files\\Cloudflare\\Cloudflare WARP\\Cloudflare WARP.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\ProductIcon = "C:\\Windows\\Installer\\{50B8AC35-9A36-4A30-8D87-C7F6D9A86C16}\\icon.ico" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\52824FB156B79AC4FAFF7B5B1EEC724B C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\PackageCode = "AC33C90352B99FA42B3CE55505D20DBA" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\PackageName = "Cloudflare_WARP_Release-x64.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\53CA8B0563A903A4D8787C6F9D8AC661\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\Version = "402784443" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\52824FB156B79AC4FAFF7B5B1EEC724B\53CA8B0563A903A4D8787C6F9D8AC661 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\ = "URL:com.cloudflare.warp Protocol" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\URL Protocol C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 3648 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3648 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 4520 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 4520 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1404 wrote to memory of 3144 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Cloudflare_WARP_Release-x64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffca6a29758,0x7ffca6a29768,0x7ffca6a29778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2132 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2648 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2656 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4620 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5176 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4828 --field-trial-handle=1908,i,12189493732442860520,16707214268152738944,131072 /prefetch:1

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding A865C615FCD603E0BEC2BD534DCD9E17

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIF5D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240652343 2 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.ReadCmdLineParams

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 2073629837F52E435723C54C958C68C5

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 8454FDCEFEE20BE6D290A6562D45D8F4 E Global\MSI0000

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI29CE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240658968 32 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.InstallService

C:\Windows\system32\sc.exe

"sc.exe" create CloudflareWARP binPath= "\"C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe"\" displayname= "Cloudflare WARP" start= "auto"

C:\Windows\system32\sc.exe

"sc.exe" config CloudflareWARP depend= "wlansvc"

C:\Windows\system32\sc.exe

"sc.exe" failure CloudflareWARP reset= 86400 actions= restart/0/restart/1000/restart/5000

C:\Windows\system32\sc.exe

"sc.exe" failureflag CloudflareWARP 1

C:\Windows\system32\sc.exe

"sc.exe" config CloudflareWARP start=AUTO

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D518FD4891DB2A1073C792258AE64E53 E Global\MSI0000

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"

C:\Windows\system32\werfault.exe

werfault.exe /hc /shared Global\d64b2185fd4f45d28a6d271075389bbe /t 4076 /p 4040

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
GB 92.123.128.145:443 www.bing.com tcp
US 8.8.8.8:53 145.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.200.14:443 clients2.google.com udp
GB 142.250.200.14:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 216.58.212.234:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI76d7f.LOG

MD5 d2b6d5222fe6ec1ebd4493a32aefa30a
SHA1 d028a9a44f82c816667d5751add6eef6714480ae
SHA256 c88ef71e12f6924037f8bbf277edd86e2dd52568e7488750f4d64fa85ca10e8b
SHA512 6ea913cdaf2d69fd667385588d35ed32aaff403f9aee7d4d15f7f77fbaa1634059bac072e6f46d0cb30d40f9854d801954ae6ff7695665e10894e958f7951d9c

\??\pipe\crashpad_1404_LMQSUYPBGOXBERVZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_83EE79D1FEE086A5198EA6E5637C35C8

MD5 79da8942eab812340192032f51c93e65
SHA1 6bef259c97f0ff2bf779f1278399123b9a94b264
SHA256 97010ba4a610397fbc97dfb11d0072f6b4a94f5b04aa793bcdec00f5ecedeeb9
SHA512 652d453b57f5e0411b1d3e05a6c0ca9a491c76d056700cd155b95ed095cec77dfaf7517a71deb1ace0b7e3ad6c88c5a5d53c29f10e38ae4dcb70665b7a44ba2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_83EE79D1FEE086A5198EA6E5637C35C8

MD5 80de5b279f1a890eed43841ae0afd7e4
SHA1 e85790cdd37b6938449ec9189bd604903e3b8e14
SHA256 04df1a91b07f933e442ce8e25b90ee0d860c8941b4d6770fef82ccc3c928ccf9
SHA512 f49b87f34fe58773ecfc048e8e39d0c228f1cb157422af30004b562f7991f7ae20734d0a9a7745cc0baffac0f2d11adc633d018062e0ccb284c879d6f13f163c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

MD5 89d79dbf26a3c2e22ddd95766fe3173d
SHA1 f38fd066eef4cf4e72a934548eafb5f6abb00b53
SHA256 367ef9ec8dc07f84fed51cac5c75dc1ac87688bbf8f5da8e17655e7917bd7b69
SHA512 ab7ce168e6f59e2250b82ec62857c2f2b08e5a548de85ac82177ac550729287ead40382a7c8a92fbce7f53b106d199b1c8adbb770e47287fc70ea0ea858faba6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 c3fd670305f29e4f422fd016a8d88eb8
SHA1 fe32147f7badac904f7558e95ba2e319044f5cfa
SHA256 de5173ae5fdb373af94e46f92c957ad4b8d975a2f0af10c183d3f77850cdd216
SHA512 ecdd65957b61df0e119ca3f21752f248df540cddf9cce3bb018b31fd650d886abdb8c562352b85b618c637d7f78ac1f1571bc609a9c081081a6520bbdee7c18f

C:\Windows\Installer\MSIF5D.tmp

MD5 79d36f854e69d96831900896f1fbf37f
SHA1 45a5925cd560d5ed0a46e93e34de99d7f749a52b
SHA256 fcf0603193be0b8c576ec326d6b1ad648cbfec5edef31c6649b31ce37335efbf
SHA512 9e401338bc7196c0595099a44d8df5ca24e2691aa2bfae4457106aac4003c119d57f8f2a276689ab3984d24dcfd48ead88c544cb5205af531810f8e274f4ae88

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ba6733249647703ef5a93b358e382856
SHA1 34de2c55ab0cb54c5fa554c7c89e41864ccb7c0a
SHA256 f7ec9f0dfd2d1e63ed918f63d4a5a43a428c978903f7008778d7dc43682b297e
SHA512 076742f8cbbd771eb0c3dd96f611da3871ef9c09a1c471c092bc29f0225ac998e1cfc798c1a6d9bd27085cd91ec5a80ec18f8bb4834050e13c36b1906d1a6b6d

memory/4196-73-0x000001592BCC0000-0x000001592BCEE000-memory.dmp

C:\Windows\Installer\MSIF5D.tmp-\Warp.Installer.Actions.dll

MD5 e741e1de9e2ddd5d7c54cd8db93a8a1c
SHA1 5f87db8d4405af97acda2b12e01f55186fcd8015
SHA256 06a1ab4342d09f0fb53a8811c8d7c0ad12c7aaf0b35665a353f787381e359128
SHA512 721f637d228793b3fd16ab8713b699e4ace1181f8f677a829b64ba14cd9cac5d04462042e6a588018a7fc236e5538e70c464f1d215a9005c3e47e414b6f25718

memory/4196-78-0x000001592BCA0000-0x000001592BCAA000-memory.dmp

C:\Windows\Installer\MSIF5D.tmp-\Common.dll

MD5 526d309cf201e07fd8f57e93c1721e90
SHA1 4163868aef223f6dfd6bcf81df81d2f1579e8a64
SHA256 aab7d3d7caf3bd91f7d1af666cb147c432348060b14e14fdf2b57a415cc4cc16
SHA512 8c69d50c8842189d397fdd430eef8785c9a7ddb7f38cc451ff1f33f39a2f61683eb79ed75cf796e287c1970c93e55714658673dc663a1aa1cbcb6a7c25014981

memory/4196-85-0x000001592BD10000-0x000001592BD2A000-memory.dmp

memory/4196-82-0x000001592BCB0000-0x000001592BCB8000-memory.dmp

memory/4196-101-0x00007FFCA3900000-0x00007FFCA43C1000-memory.dmp

\??\Volume{e992337d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ef81b0d0-d94c-4542-805b-95a4088089c6}_OnDiskSnapshotProp

MD5 0488d7b4fd75a4e8ce65a0f406821759
SHA1 ff51a717f18950d5aed83fb2c1e62c8327de5d62
SHA256 32e0859861b13219cb450c630da098069e77d9aecc816666447c5d94ceb8508c
SHA512 2cbca4bc9f1a60f14faf20f185d91bc90bdc0e4291831a85138501ec52060ec7f129b9dd7091be95807959430e16f98c71a068664df5265d947820956148e7ff

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 52355752d2f005cd6fa94ac8997a2ec0
SHA1 dba48f0e6c9b0cb10f9feab3a7610268a1ba1ccd
SHA256 c80ddbd73e0bb68e224a32cfe74a4dac8d4a8e0e88a18f0cadd2dad7fe18650f
SHA512 760f81d58f1af6bd24155bca0aca32c3b56d90479413771fb441a24412b920680da72a60dc0987f9f58e8b0f00f013f2d51025ec9f184f1c1841490dd20cacac

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 b047c75bd7e3ee97334a53ca581eb28e
SHA1 0eba86ae8b906848d77564cf0ee17c45bc28efcd
SHA256 5d0b662c1874e96ac29c51b30d0ea50010390ce6ec26f5e611704931b0828f3f
SHA512 f4552880f6ef8c90577d986a4959de85ed5c11cd606a229dd486260d22a4c32b76b6aa88e02ee2c1ae4f8c3ce8df5a4ee2cc185d24c7bfa5fb9d9872e295e0e6

C:\Windows\Installer\MSI174E.tmp

MD5 93394d2866590fb66759f5f0263453f2
SHA1 2f0903d4b21a0231add1b4cd02e25c7c4974da84
SHA256 5c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b
SHA512 f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 43f8796d258f9fbf1662461372bc145e
SHA1 06a253bf5082480107405d59b07d67b755125b10
SHA256 64b5a589ca0325a29e018f646144474c447ea0e5490d6a0a0ed823f45a181bfd
SHA512 b4ef3886e8114282be6952ea3b5d03ff93f294ba9def8040dd3b401cb8e202b899ddf0af9681593842f3f43a13ff8e2ed0f0e99d113734359bd85bbd4e63ea1f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

MD5 5727da8319619d065c7a43f9a7322529
SHA1 aacdde2f71d8c9f3993614bfed0d5ce754c2138f
SHA256 ab68e7ac87c905042b3ff21ea1e50b1eb48666b8e4834fd42c51295e879a9572
SHA512 35d9459254824a051d94f3eba1151e49a8919a924c7a32ba2a6d3a40e29c0e43412e36d4629fe425112e434975367e12edda84f76b7325ac643f0a595d232e16

C:\Windows\Installer\MSI29CE.tmp-\CustomAction.config

MD5 01c01d040563a55e0fd31cc8daa5f155
SHA1 3c1c229703198f9772d7721357f1b90281917842
SHA256 33d947c04a10e3aff3dca3b779393fa56ce5f02251c8cbae5076a125fdea081f
SHA512 9c3f0cc17868479575090e1949e31a688b8c1cdfa56ac4a08cbe661466bb40ecfc94ea512dc4b64d5ff14a563f96f1e71c03b6eeacc42992455bd4f1c91f17d5

C:\Windows\Installer\MSI29CE.tmp-\Microsoft.Deployment.WindowsInstaller.dll

MD5 1a5caea6734fdd07caa514c3f3fb75da
SHA1 f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256 cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512 a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

memory/3156-153-0x00007FFCA3900000-0x00007FFCA43C1000-memory.dmp

memory/3156-154-0x00000228A6B90000-0x00000228A6BA0000-memory.dmp

memory/3156-159-0x00000228A6B90000-0x00000228A6BA0000-memory.dmp

memory/3156-155-0x00000228A6B90000-0x00000228A6BA0000-memory.dmp

memory/3156-160-0x00000228A6B90000-0x00000228A6BA0000-memory.dmp

memory/3156-174-0x00007FFCA3900000-0x00007FFCA43C1000-memory.dmp

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

MD5 bd63b42a6425c9bf3e99da58c35d5566
SHA1 54de65b83883491842142a07ab66f29e45d96054
SHA256 fe0eb5f110e7cbcb964e6664ba6ec4fcec06dfd0d5c1044a70392cef0a9dfe9a
SHA512 8370debd223f2d460790ea45e8777c22473b78c79d4b2cc7ae4058b3ee97c268f3442ef964f1eb056b3c884e1e86caec45f712ad6b328ef30cb76ec12c0f8d50

C:\Config.Msi\e58080b.rbs

MD5 002ffce4c59b17bfde832867e49c4d01
SHA1 a9f86911b4084a088b9868944a83b92d4bbddb1b
SHA256 995aa115cf6acc9446c0b5d5ef3f187dccc7b71240c12a868a2059eb19dc3468
SHA512 0a5fc3aafba2358f564435215de728d9fac844a77526e9ba322f493022a984beb5ba7340ddd8e3a69903085d71261c439c8c82fce081bfac7da5644e03993379

C:\Windows\Installer\MSI3682.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

MD5 ef74e9d7429509ddd5a87c5934db76d7
SHA1 9b073e7bd54522ebe8701b88e2814ab84f94b93a
SHA256 edd83771d0a9a8b75f0bbcd06fe37762540ca01dd93f70e279b39ac28e97ad97
SHA512 2f869a9d26a151bdd4297cd2f96159c004ec2864f55a4f4fec0184bb4cb9520bee5c3277bf5240a0626802cc4283af71788721164b20300acd45b8477747540f

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

MD5 27abc373573847cbc6211c49832740c7
SHA1 39537891f5c373286a03d257e56e206163eced45
SHA256 a473e3882d233069a14bc579aee9da8a41a31a9d520024a39fe3143ff847d171
SHA512 5f0b942fd2242f42342fd444c60da61564f7c84e22d9b6d3be0b94bfb5cfa94541588f4d9c450cb8e74b3c585d770a1eed4ceb038ef26cea6aac7c6572817451

C:\Windows\Installer\e58080a.msi

MD5 ecdbb26397c45ce15ca4cb788dab3fdc
SHA1 4ab70f044f9b3778db4471d35d974cd7136b3a1e
SHA256 9dc890968167a67976e4260f12fc311897f2c299a13168ca734024a97cb50e35
SHA512 8efbd060a9cbdc4aef2ee12aea55aebf0d2f98e86b422a264e76673e2aef25642c16fcf92e1296196be862b938bfd1addd273f5c4e50a0b2938fe686eb3b1fdf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2044cb76a7cfdbbf723a5e19dca2afa7
SHA1 74fe0ef20731144a86a0567b3cf4fc6fbfe89e4d
SHA256 029ae79efb7988c9e2b9ec0f129e5385676da6ec1bf173d9e29ec8aca3521969
SHA512 0a2a9ada083eeeeb1d623a73d5fbee68528598773016df3bc4489fbffb5e3df40bc542f0dcc2667f35dbe8180923e5ab01074a3d64ee0d9ee9a1cdef2d18c613

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8b464bcef586f843dc568259f8fa82f7
SHA1 426c971ba5e5fd9a4d1cc25e01c29f272536c79f
SHA256 9cd8d2ea8122f247e45d5bd8871169f213d04d791b292d492d74b12a49247c63
SHA512 d75d5b15d0e0f27be1af89c8325ac79826f20bbf4dd2b3a524d9175da5f83f532c573a5a0182f1fd3c12889e9f863a21e57d7e18686771e01fcee24689453b6f

memory/2548-243-0x0000000180000000-0x0000000180A25000-memory.dmp

memory/2548-246-0x00000170B5B60000-0x00000170B5F3D000-memory.dmp

memory/2548-249-0x00007FF6407F0000-0x00007FF641163000-memory.dmp

memory/2548-250-0x00000170B5810000-0x00000170B5892000-memory.dmp

memory/2548-253-0x00000170B5780000-0x00000170B57C7000-memory.dmp

memory/2548-256-0x0000017093820000-0x0000017093832000-memory.dmp

memory/2548-259-0x00000170B6ED0000-0x00000170B7E58000-memory.dmp

memory/2548-262-0x00000170B5F40000-0x00000170B6168000-memory.dmp

memory/2548-266-0x00000170B6170000-0x00000170B62CE000-memory.dmp

memory/2548-269-0x00000170938D0000-0x00000170938FA000-memory.dmp

memory/2548-272-0x0000017093890000-0x00000170938A3000-memory.dmp

memory/2548-275-0x00000170938B0000-0x00000170938B7000-memory.dmp

memory/2548-278-0x00000170B57D0000-0x00000170B5810000-memory.dmp

memory/2548-281-0x00000170B62D0000-0x00000170B64F3000-memory.dmp

memory/2548-284-0x0000017093860000-0x0000017093865000-memory.dmp

memory/2548-287-0x00000170938C0000-0x00000170938C9000-memory.dmp

memory/2548-290-0x00000170B5910000-0x00000170B594E000-memory.dmp

memory/2548-294-0x0000017093850000-0x0000017093858000-memory.dmp

memory/2548-297-0x0000017093900000-0x000001709390E000-memory.dmp

memory/2548-300-0x00000170B6500000-0x00000170B6514000-memory.dmp

memory/2548-303-0x00000170B58E0000-0x00000170B58EB000-memory.dmp

memory/2548-306-0x00000170B6570000-0x00000170B65B4000-memory.dmp

memory/2548-309-0x00000170B9870000-0x00000170BA0B2000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 efcc8b952e031fb30cc80b7d446352fe
SHA1 91a84549abeffde73013215474124c1495fc09c4
SHA256 0d6a7585f14d1800974888dd0f4b208e2d9e843728350e9af2807a5cd051dcac
SHA512 2274dc4777cebfe3b74896551de0afa09011797f87f492fd2de62662edd988c5a3e3452449d23b0023b3386d6ff9ae3dfdfb4a02cc1954816c531a43ca5b10c5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 d37245c35d7da702b2e4cfe026ccdd47
SHA1 51bd3f050377f02dc4ef637cf06ddfeb94215cd1
SHA256 afdd625b8ef01ec30ce9f784101e39ca5ffcad589be3b3fd21ee1fb8b099db7b
SHA512 6e4285f5f5d239852a277df08ab00f0215e887422bb0ab1b96d89bffb0a2756373b1b23f558e00e2290e4f376a84a8a3fe75c214296f228c7ffd68b7d4c15d80

C:\Users\Admin\AppData\Local\Temp\.net\Cloudflare WARP\bJ0iwigOeLveb0qYWU7CnC9W0WB96G0=\PresentationNative_cor3.dll

MD5 607039b9e741f29a5996d255ae7ea39f
SHA1 9ea6ef007bee59e05dd9dd994da2a56a8675a021
SHA256 be81804da3077e93880b506e3f3061403ce6bf9ce50b9c0fcc63bb50b4352369
SHA512 0766c98228f6ccc907674e3b9cebe64eee234138b8d3f00848433388ad609fa38d17a961227e683e92241b163aa30cf06708a458f2bc4d3704d5aa7a7182ca50

C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.dll

MD5 adddf910835a925fbdafc06efb6033c4
SHA1 4812382fea0cdc5c4b14ea6a71d065190243060c
SHA256 74990955440da7f36eca8344d926c2682497941d276cf3b5798d663994af4b30
SHA512 4f3cc3bcfda07927204e4c830b3a0c364f874d8a18e277ea9186a8d3d5b3f25c29a6bfcfcfada763428ff394e28a3eb4182bac9d0dde74af69b5795475e0bb90

C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.DLL

MD5 73e9dfeaaa2bc6d2448708dc7388febf
SHA1 cf0dff6a1c3afb8f2f37de5805d42bbf78eddc7b
SHA256 a499c94a6ca3ccdd35262fcf5e4f515e07a5123714b23abdf94c510a4d2b7ba5
SHA512 87ce21c088254fae51a3e358f4ceb1c120136956bba7c58131cf10121ee54b5061c3a79e2acfde3c7d591df52ce50a7229178db38066cc2b5184d9e7835e56b3

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133538700440186960.txt

MD5 af6b6cf76f390e41615eac09c4759d9a
SHA1 fa825f1687429384504f1de30977296177148d40
SHA256 2c4832f2a3b0a44248dcd5fc9511159aa16c436090bf9bf813eb62acc8007016
SHA512 bb522a283d1ddd795cda1164efb7882aff5ba0dc8d9ee5e841b425838edea521852d842477eaee2e07b2eb554799e1df276b62615b496e7c56f72a390be19ffe

memory/2548-549-0x00007FF6407F0000-0x00007FF641163000-memory.dmp

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

MD5 f6024a8d7213d584c2fdccfc201cf78b
SHA1 c00de9df3b2c43a8e74ca13741c64cc941f493f0
SHA256 507623bf54f1a2c872d965b0b6245c5ee868f252ce241d0b94be4a4128023f91
SHA512 2591194bd2d733144d4f93c71b867c3452b7a4e1797b5b94ff23d305b580d2851c0ab02f082737d4106e9c51d1249f800414c93aff1dd67cb8b230f4a2436b3b

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\SL9YLD9N\microsoft.windows[1].xml

MD5 bb7934efe1e99dde2a4be53178ce8fd7
SHA1 49e6b2f364b597c34832d1878259d5eb671f21a4
SHA256 11904522eefd80ce753b37f72e745a251ea2a9bd65cbccbc8993944280db3426
SHA512 23ae797546cd1b9884c23e593c371e99ec872b54d5f0856729137ad78507e6e120de7bc75aa7dd7c7556217a628bcf8824175ea0982d6c3236cd22b15455c1d6

memory/4196-565-0x00007FFCA3900000-0x00007FFCA43C1000-memory.dmp

memory/5292-570-0x00007FF6407F0000-0x00007FF641163000-memory.dmp

C:\Users\Admin\AppData\Local\Cloudflare\WARP-GUI.log

MD5 7b8ef874c255621d87a85b9ee3787eff
SHA1 6f3373393ce57939b67a139fce9ddaf4b2f13edd
SHA256 bc7bd50f487ac63475be0019e6ca1a47ed70b34a1caf38ec3a3ef321e16db871
SHA512 8db2ced668bbe53e0db29997a2184762ce3019f441e7eaee07263e0f826d67c8f58f4d397784e770c60a1177007a34894f4c4261e267f137ef24325558de3732

C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.dll

MD5 074005c6fad60027e985a510728a9d4f
SHA1 c5079d80b7e4aa603e16fd6f6d4214f5381d5ee7
SHA256 1ccf83e0e4ec5ed048c552601d9844f9136cecad6294f7456a278694cf83919c
SHA512 74059bb12f7146dfc2b5d5616b99db46ef9f70a17a3056bd9b08923de64f429c04e611352f013319ecf004a76c9e7a2abcac6d79f4210f63122163be21d34df4

C:\Users\Admin\AppData\Local\Cloudflare\ipc.log

MD5 dc513e1345d8013635fb7766715bade6
SHA1 a6a340106b06c18c3c4e79dfe735af07547f62ba
SHA256 2f0645af001e162e340dc71b071e4a50e15f4cbf15f11c1b8d5f78e00b3daacf
SHA512 4ba6ea2b63822b10671d7ef64a05b19636c14f8718117dbbef1ae905f0cc81846006a706912f25b592b5a40bb7e72f14f5fb244243d73a061226e6c305dd1be8

memory/5292-866-0x00007FF6407F0000-0x00007FF641163000-memory.dmp