Analysis
-
max time kernel
390s -
max time network
270s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 16:23
Static task
static1
Behavioral task
behavioral1
Sample
Cloudflare_WARP_Release-x64.msi
Resource
win10v2004-20240226-en
General
-
Target
Cloudflare_WARP_Release-x64.msi
-
Size
109.6MB
-
MD5
bba4a02e6ad578bde6679fa7e977911a
-
SHA1
f2c44930f067664fbd1f502e967afe7c7f8d66b7
-
SHA256
960e275a907869b33fbf67b009436ed651b6e8361f25cdf1dc8fd2b3d8a86e0f
-
SHA512
34421e7c28434bf3be9a1b1d5ac169dfb2b79720e1ccd7755871776ae1cfe913f9a3a7fa66187a07caceef62f14ba05a43b9426c5fb355c4839a83210dc5eb24
-
SSDEEP
1572864:hbDqkhgm+LM8MSCYZO6ZVlcKUA++MEjcCBf+obawM833f+ONif/pwwXsrjY4Ojct:YpClSR/BfxVN2Oof/pwXGjcKm61bkn
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Blocklisted process makes network request 1 IoCs
flow pid Process 9 116 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\Cloudflare\Cloudflare WARP\warp-cli.exe msiexec.exe File created C:\Program Files\Cloudflare\Cloudflare WARP\warp-dex.exe msiexec.exe File created C:\Program Files\Cloudflare\Cloudflare WARP\warp-diag.exe msiexec.exe File created C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe msiexec.exe File created C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.dll msiexec.exe File created C:\Program Files\Cloudflare\Cloudflare WARP\wintun.dll msiexec.exe File created C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe msiexec.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File created C:\Windows\Installer\e57b6dc.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIBB22.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIBB22.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\SourceHash{50B8AC35-9A36-4A30-8D87-C7F6D9A86C16} msiexec.exe File opened for modification C:\Windows\Installer\MSIC46A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICEED.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID3FE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBB22.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBB22.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC4C9.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIBB22.tmp-\Common.dll rundll32.exe File opened for modification C:\Windows\Installer\MSICEED.tmp-\Common.dll rundll32.exe File opened for modification C:\Windows\Installer\{50B8AC35-9A36-4A30-8D87-C7F6D9A86C16}\icon.ico msiexec.exe File opened for modification C:\Windows\Installer\MSIDF89.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSICEED.tmp-\Warp.Installer.Actions.dll rundll32.exe File opened for modification C:\Windows\Installer\MSICEED.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSICEED.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\e57b6dc.msi msiexec.exe File created C:\Windows\Installer\e57b6de.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIBB22.tmp-\Warp.Installer.Actions.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC6BE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICEED.tmp msiexec.exe File created C:\Windows\Installer\{50B8AC35-9A36-4A30-8D87-C7F6D9A86C16}\icon.ico msiexec.exe -
Executes dropped EXE 5 IoCs
pid Process 4532 Cloudflare WARP.exe 3988 Cloudflare WARP.exe 3780 Cloudflare WARP.exe 2092 Cloudflare WARP.exe 4512 Cloudflare WARP.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3756 sc.exe 2232 sc.exe 908 sc.exe 216 sc.exe 3508 sc.exe -
Loads dropped DLL 26 IoCs
pid Process 2732 MsiExec.exe 3856 rundll32.exe 3856 rundll32.exe 3856 rundll32.exe 3856 rundll32.exe 3856 rundll32.exe 3352 MsiExec.exe 3352 MsiExec.exe 2160 MsiExec.exe 3948 rundll32.exe 3948 rundll32.exe 3948 rundll32.exe 3948 rundll32.exe 3948 rundll32.exe 792 MsiExec.exe 3352 MsiExec.exe 4532 Cloudflare WARP.exe 4532 Cloudflare WARP.exe 3988 Cloudflare WARP.exe 3988 Cloudflare WARP.exe 3780 Cloudflare WARP.exe 3780 Cloudflare WARP.exe 2092 Cloudflare WARP.exe 2092 Cloudflare WARP.exe 4512 Cloudflare WARP.exe 4512 Cloudflare WARP.exe -
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007667065a040ee7130000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007667065a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007667065a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7667065a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007667065a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe -
Modifies registry class 35 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\53CA8B0563A903A4D8787C6F9D8AC661 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Media\2 = ";" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open\command msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\52824FB156B79AC4FAFF7B5B1EEC724B\53CA8B0563A903A4D8787C6F9D8AC661 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\URL Protocol msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\DefaultIcon\ = "\"C:\\Program Files\\Cloudflare\\Cloudflare WARP\\Cloudflare WARP.exe\", 1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\Version = "402784443" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\ProductName = "Cloudflare WARP" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\ProductIcon = "C:\\Windows\\Installer\\{50B8AC35-9A36-4A30-8D87-C7F6D9A86C16}\\icon.ico" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\PackageName = "Cloudflare_WARP_Release-x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\ = "URL:com.cloudflare.warp Protocol" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\52824FB156B79AC4FAFF7B5B1EEC724B msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open\command\ = "\"C:\\Program Files\\Cloudflare\\Cloudflare WARP\\Cloudflare WARP.exe\" \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\53CA8B0563A903A4D8787C6F9D8AC661\ProductFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\PackageCode = "AC33C90352B99FA42B3CE55505D20DBA" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4532 Cloudflare WARP.exe 4532 Cloudflare WARP.exe 4532 Cloudflare WARP.exe 3988 Cloudflare WARP.exe 3988 Cloudflare WARP.exe 3988 Cloudflare WARP.exe 3780 Cloudflare WARP.exe 3780 Cloudflare WARP.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 2092 Cloudflare WARP.exe 2092 Cloudflare WARP.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3372 taskmgr.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 116 msiexec.exe Token: SeIncreaseQuotaPrivilege 116 msiexec.exe Token: SeSecurityPrivilege 3312 msiexec.exe Token: SeCreateTokenPrivilege 116 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 116 msiexec.exe Token: SeLockMemoryPrivilege 116 msiexec.exe Token: SeIncreaseQuotaPrivilege 116 msiexec.exe Token: SeMachineAccountPrivilege 116 msiexec.exe Token: SeTcbPrivilege 116 msiexec.exe Token: SeSecurityPrivilege 116 msiexec.exe Token: SeTakeOwnershipPrivilege 116 msiexec.exe Token: SeLoadDriverPrivilege 116 msiexec.exe Token: SeSystemProfilePrivilege 116 msiexec.exe Token: SeSystemtimePrivilege 116 msiexec.exe Token: SeProfSingleProcessPrivilege 116 msiexec.exe Token: SeIncBasePriorityPrivilege 116 msiexec.exe Token: SeCreatePagefilePrivilege 116 msiexec.exe Token: SeCreatePermanentPrivilege 116 msiexec.exe Token: SeBackupPrivilege 116 msiexec.exe Token: SeRestorePrivilege 116 msiexec.exe Token: SeShutdownPrivilege 116 msiexec.exe Token: SeDebugPrivilege 116 msiexec.exe Token: SeAuditPrivilege 116 msiexec.exe Token: SeSystemEnvironmentPrivilege 116 msiexec.exe Token: SeChangeNotifyPrivilege 116 msiexec.exe Token: SeRemoteShutdownPrivilege 116 msiexec.exe Token: SeUndockPrivilege 116 msiexec.exe Token: SeSyncAgentPrivilege 116 msiexec.exe Token: SeEnableDelegationPrivilege 116 msiexec.exe Token: SeManageVolumePrivilege 116 msiexec.exe Token: SeImpersonatePrivilege 116 msiexec.exe Token: SeCreateGlobalPrivilege 116 msiexec.exe Token: SeBackupPrivilege 3840 vssvc.exe Token: SeRestorePrivilege 3840 vssvc.exe Token: SeAuditPrivilege 3840 vssvc.exe Token: SeBackupPrivilege 3312 msiexec.exe Token: SeRestorePrivilege 3312 msiexec.exe Token: SeRestorePrivilege 3312 msiexec.exe Token: SeTakeOwnershipPrivilege 3312 msiexec.exe Token: SeBackupPrivilege 4124 srtasks.exe Token: SeRestorePrivilege 4124 srtasks.exe Token: SeSecurityPrivilege 4124 srtasks.exe Token: SeTakeOwnershipPrivilege 4124 srtasks.exe Token: SeRestorePrivilege 3312 msiexec.exe Token: SeTakeOwnershipPrivilege 3312 msiexec.exe Token: SeBackupPrivilege 4124 srtasks.exe Token: SeRestorePrivilege 4124 srtasks.exe Token: SeSecurityPrivilege 4124 srtasks.exe Token: SeTakeOwnershipPrivilege 4124 srtasks.exe Token: SeRestorePrivilege 3312 msiexec.exe Token: SeTakeOwnershipPrivilege 3312 msiexec.exe Token: SeRestorePrivilege 3312 msiexec.exe Token: SeTakeOwnershipPrivilege 3312 msiexec.exe Token: SeRestorePrivilege 3312 msiexec.exe Token: SeTakeOwnershipPrivilege 3312 msiexec.exe Token: SeRestorePrivilege 3312 msiexec.exe Token: SeTakeOwnershipPrivilege 3312 msiexec.exe Token: SeRestorePrivilege 3312 msiexec.exe Token: SeTakeOwnershipPrivilege 3312 msiexec.exe Token: SeRestorePrivilege 3312 msiexec.exe Token: SeTakeOwnershipPrivilege 3312 msiexec.exe Token: SeRestorePrivilege 3312 msiexec.exe Token: SeTakeOwnershipPrivilege 3312 msiexec.exe Token: SeRestorePrivilege 3312 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 116 msiexec.exe 116 msiexec.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe 3372 taskmgr.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3312 wrote to memory of 4124 3312 msiexec.exe 103 PID 3312 wrote to memory of 4124 3312 msiexec.exe 103 PID 3312 wrote to memory of 2732 3312 msiexec.exe 105 PID 3312 wrote to memory of 2732 3312 msiexec.exe 105 PID 2732 wrote to memory of 3856 2732 MsiExec.exe 106 PID 2732 wrote to memory of 3856 2732 MsiExec.exe 106 PID 3312 wrote to memory of 3352 3312 msiexec.exe 107 PID 3312 wrote to memory of 3352 3312 msiexec.exe 107 PID 3312 wrote to memory of 3352 3312 msiexec.exe 107 PID 3312 wrote to memory of 2160 3312 msiexec.exe 108 PID 3312 wrote to memory of 2160 3312 msiexec.exe 108 PID 2160 wrote to memory of 3948 2160 MsiExec.exe 109 PID 2160 wrote to memory of 3948 2160 MsiExec.exe 109 PID 3948 wrote to memory of 2232 3948 rundll32.exe 110 PID 3948 wrote to memory of 2232 3948 rundll32.exe 110 PID 3948 wrote to memory of 908 3948 rundll32.exe 112 PID 3948 wrote to memory of 908 3948 rundll32.exe 112 PID 3948 wrote to memory of 216 3948 rundll32.exe 114 PID 3948 wrote to memory of 216 3948 rundll32.exe 114 PID 3948 wrote to memory of 3508 3948 rundll32.exe 116 PID 3948 wrote to memory of 3508 3948 rundll32.exe 116 PID 3948 wrote to memory of 3756 3948 rundll32.exe 118 PID 3948 wrote to memory of 3756 3948 rundll32.exe 118 PID 3312 wrote to memory of 792 3312 msiexec.exe 121 PID 3312 wrote to memory of 792 3312 msiexec.exe 121 PID 3312 wrote to memory of 792 3312 msiexec.exe 121 PID 3312 wrote to memory of 4532 3312 msiexec.exe 123 PID 3312 wrote to memory of 4532 3312 msiexec.exe 123 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Cloudflare_WARP_Release-x64.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:116
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4124
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding A6038174CBD80828693794FC0E74F87B2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSIBB22.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240630625 2 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.ReadCmdLineParams3⤵
- Drops file in Windows directory
- Loads dropped DLL
PID:3856
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 283224DCE12A40A9EA9D8B02D63AF5A92⤵
- Loads dropped DLL
PID:3352
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding D02ECDF269CAFB0A77779ADBA7484E79 E Global\MSI00002⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSICEED.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240635734 32 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.InstallService3⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\system32\sc.exe"sc.exe" create CloudflareWARP binPath= "\"C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe"\" displayname= "Cloudflare WARP" start= "auto"4⤵
- Launches sc.exe
PID:2232
-
-
C:\Windows\system32\sc.exe"sc.exe" config CloudflareWARP depend= "wlansvc"4⤵
- Launches sc.exe
PID:908
-
-
C:\Windows\system32\sc.exe"sc.exe" failure CloudflareWARP reset= 86400 actions= restart/0/restart/1000/restart/50004⤵
- Launches sc.exe
PID:216
-
-
C:\Windows\system32\sc.exe"sc.exe" failureflag CloudflareWARP 14⤵
- Launches sc.exe
PID:3508
-
-
C:\Windows\system32\sc.exe"sc.exe" config CloudflareWARP start=AUTO4⤵
- Launches sc.exe
PID:3756
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B6F3EF49E7AEB83CA0C8BB8564EED37D E Global\MSI00002⤵
- Loads dropped DLL
PID:792
-
-
C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4532
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2944
-
C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3988
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1264
-
C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3780
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3372
-
C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2092
-
C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138KB
MD519376049801c81927f140403795c6fd5
SHA108b46dbea5601f0b930befd9b11197f98ee70d27
SHA256bc38f263476166de1a5ea435c821bd8c3619cd7c208786d646eb7c988fd31df7
SHA512da7ef984931c0d3d4296403f2d6cb173f2dbdbf40cad2f124b2fde5bf9359c8b92a98dfab0214e3ff6c4411eafb9b69124c3dc783d6bbc211d4690e81c4ced5d
-
Filesize
6.2MB
MD59e5be2687a33121e4173071d85a026b0
SHA179f9ed0223f031161e30fa00cff61a60794bfa43
SHA256da93d9ca11813241397081a7792da8ca207a192535f3a1e2b79e4615fa1907ad
SHA5121d7c1ca9b5d4bf141c5fc05e7f5c50277246215a3de99500f95549ae295559ef0985ddda744fba01f3dc3f295a846b04134f0e043192ac0818c02d04c0e91b85
-
Filesize
34.2MB
MD51cb2db574d6e87951933ea75a1d25bef
SHA1e061d37bf3f24c74ab739bd9ef955fbf9b91276e
SHA256b549e912c2788aa5c4038cae29e8b7ea27c9582090d2507cb1b8b13e24d0a96c
SHA5123d403b17b20f9a4fb58dd66dd8d0b43c7fad4b69cdfab63fa27c7cb8b0e06248cabd5cdee696d2b1e386935efa3b6df30484dc09444985a86004e1f9088df29d
-
Filesize
1.6MB
MD5527e01967ea4fbd85cb806c809675426
SHA1acfa0a26cdfb1bd5271e2d96a6e1fbe4123a47ba
SHA256c9d3811f5727e79d635f32e4366a14e60388b5f51675091995ee11f4832d1188
SHA512bd1eed7374f8968dbf867ac368fef0501afe0036235c062120ae23969dc790b63b1ac1ff9285ac13850eb6dcf07277b52d72497d9a84fcf2d5d801ddd1a4ba4d
-
Filesize
1.5MB
MD591a04aec0e41b4d631cb576b6e5845c3
SHA12bcff6bf6a827e058ed5cc546795f032e8575f00
SHA256a99de562609f1c0aa5d024323008b3c2c1ceffeb0b7b9438155d1fc425dcd8f5
SHA5127cdecc33e5918a94ead71f006bd33a9e101a78522a479727f58c21fbc1ca9fd493f616835c30dc62918d27c8ff5d398cd4023fa76eab8f5974e150ba2717e02e
-
Filesize
7.5MB
MD5052d99adcc3bb6c1ef8dc601b1ea6b4c
SHA1ea827a69f6b4a56ae9d175e73b57c0c20ee1a563
SHA25618f1d2510920215c9d1a3b646fa02b555985363eb82dac6363071f455afc8105
SHA5129d5e22268ec6757c13cc9f6aae6be2d998f28d1586a4f1a2e9edfce068f17a9ab30a9e851ec49e664a2ef84df1a08833deff7cd464e47c4d259fe536f5f2c63b
-
Filesize
22.2MB
MD5404ed677765eb60565f57ce7e3d1fac0
SHA120dbb178458d36085f21b64ed879d73962dcf71c
SHA256dee0d6304e3f1c3378b9a30a1fb29791fbaae8c4980ed0b326d0b1d4f501d991
SHA51254429ec0caa13348a2fc094703a8a77bac7d5acc3fb4bd00c7cd6e6fa49b643700af556988e2220635690e2afb5f5a088cf605d3e964861f087b88fc1813fcd8
-
Filesize
19.8MB
MD5fc7723cefe8e54ad65e4a251f5641746
SHA1491cd17cdf9a87cf318565c1e94f53144f4aa93d
SHA256f6d16dd579091efdb31ca57ade614cb0541214624ffeb3d7e2070b9a49779f5f
SHA5120ae1cee60ce97369c8b8e2ed69348c0edc89387cdcfbb7b988f4bfb0088d39d863c3fd4115130bf201fe22aeb26bfa948da2a2163522309fcf2c1387b9370816
-
Filesize
768KB
MD575540461a6395f47678068cac830a620
SHA1fac55997ceef2889e2ede2c2009ef2fde0e47979
SHA25623ef418e6650fe3ff64958e754cc7084b3116f548e110a5fa4fb8de50466f733
SHA5123504bf82348d7c1a4e1650909d69defa749a06f27c4b90b1e50e5dae5afe667a4c4884969981c730f6c57451f5edc0b6e910206bb728cc20c03010b08035261e
-
Filesize
3.4MB
MD5074005c6fad60027e985a510728a9d4f
SHA1c5079d80b7e4aa603e16fd6f6d4214f5381d5ee7
SHA2561ccf83e0e4ec5ed048c552601d9844f9136cecad6294f7456a278694cf83919c
SHA51274059bb12f7146dfc2b5d5616b99db46ef9f70a17a3056bd9b08923de64f429c04e611352f013319ecf004a76c9e7a2abcac6d79f4210f63122163be21d34df4
-
Filesize
1KB
MD567532db9c2567d85027d363c635cbb1c
SHA1b99379acfb1607d2cf6346917ef0d5c8222d558b
SHA256e5f2d412e917673579d1145a10af1569de390196002632e3bc07aa73636120ef
SHA512ba5c996786e5393fa92fa116fa97c20131b30a753f589fad4451a2d3267ef0721ddb4ca9cea03e11b4c991bbe6031048a3461e70c6f0232aed2d6eb6940d954a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_83EE79D1FEE086A5198EA6E5637C35C8
Filesize727B
MD579da8942eab812340192032f51c93e65
SHA16bef259c97f0ff2bf779f1278399123b9a94b264
SHA25697010ba4a610397fbc97dfb11d0072f6b4a94f5b04aa793bcdec00f5ecedeeb9
SHA512652d453b57f5e0411b1d3e05a6c0ca9a491c76d056700cd155b95ed095cec77dfaf7517a71deb1ace0b7e3ad6c88c5a5d53c29f10e38ae4dcb70665b7a44ba2d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_83EE79D1FEE086A5198EA6E5637C35C8
Filesize412B
MD57c5ada0bc065ae12ddf16c344739a3d8
SHA189ea1ea9699ff6a4058293a67b1d9109efada3e0
SHA256d466ccf7efcca9ba3558da1db175bb1d6445d09a99801eec673046d1053bf92e
SHA51274d9716067a17dd29118b1c8eb8c059143e9d151e9341b24bd95e6e5c24789e9ad707bac57aa14509cc63749a2ca244b054e63a44140bdfbe10d76330041e13c
-
Filesize
4KB
MD52a01c3b7eb7aa82c3f6ef4099acb617b
SHA15f46d49a1c22f5c33bd8ef1b69c6bbe48b942bd6
SHA256ffece6a428fa50f9a122127adf6fb539bc6c99977968b97b9b7867111a0576a0
SHA5129d3642029ade9dc7bb7fcef737e87cd0a56b4421b6cd94445cbba94139c3f966d1876c0931a957d3be75d1f2f7cd9909838e74f04025729cbda1d06b545f2c1a
-
Filesize
6KB
MD52d9881645bcf5d7c0de7d25482557f3f
SHA15002563f819dd89a5a89861e6c5cf3c491b7fe90
SHA256cc5411e0fbb30aec3b3c4236802058f5008763a3cfae51f1b4d5d0c852ba2561
SHA51213616e400a9bc63bc54b7cac07725c740c2dd666fd8065403ff3911b76e676602a333df60e4c000b6bf0ff60b39b2b009aadc094d8d5ee690b0be99fa405ec0f
-
Filesize
1KB
MD549fa2ba72f889e3fd3ad346a5e983353
SHA1ce6d51ee682159d5ba298af0fd0c227b4e3e4350
SHA2569dc2160dab146ea93936a0dc386cd8e6f5de733d7c98714698d199e2e0b58bbb
SHA512d2e41611be82e7f6ef07ed6cfe7db404c2b35c37877300e87c98da4cfdbf403ef8442832b56359d9180402f17ef819239109a07f77c2c67728e3fe2ca32511cc
-
Filesize
2KB
MD508a94c8b9cc4be52551f63aff78fc3d2
SHA1ad6833dcba98cb7ea3af5037145027529adcf6ba
SHA25641bb00b06b23630e97d801aa48a2f641231ef58da24308734109ef277dc8e27c
SHA5120d8faa35a01632a2a192abdf3f8748ad3a9e38606e2ebeb265eec9444e82fcfa140b4663915429970406387afa5cad2e8fa15a2b763dbc073dce80ea623cdb4c
-
Filesize
548B
MD5be0cfaa22461784afde568570709d734
SHA11af77e47b59b347a13b069c9ec3cba8ef791b879
SHA256bb1f8067aeaec4aef9d8be794a528f5180fcb4e4b56e365b0e0a49c6b1c4e57d
SHA512763e65fbfd2a5bafaf4acfdd0266ee4ba238982a23584a806a736d8e566257253ca45072063fe30ad3ad5f801fc3754d29c2786a945622ff92c922603f3f6e76
-
Filesize
274B
MD54c7334a8758bd65a82018697b6995a34
SHA1ba3ff0c67e7120f8fc4112c75c4d97288e15be97
SHA256911bcbdb2cfd92de3088329ecadc293e94cc916d2c35f23a30988cd56a05cdf9
SHA51285b1a663ff4e93cb980557a5d40b6b07eb18a9296e7f9aed55ef5050724fbe73a1f217138107a817551ebd4d9798773cb21174ad254b32f4bc302e0f3d417e4c
-
Filesize
411B
MD5a5d7ea5d69d807345e20c00fbb26ced6
SHA1fb94603219ab3b41f1c52b760d38b6a6ec3bd149
SHA2566e76b3c59e2076807e5fcf378ce24909c55ae8506d7703e13d3142d9c5af9498
SHA51261fd1707e5c4dbe26eb004929b5cf9aa3bf9b620a2d609242126174f540df3c441151fa90b260748c14fcff818d493595d013792cc7715176564eaacf89b6678
-
Filesize
737B
MD55727da8319619d065c7a43f9a7322529
SHA1aacdde2f71d8c9f3993614bfed0d5ce754c2138f
SHA256ab68e7ac87c905042b3ff21ea1e50b1eb48666b8e4834fd42c51295e879a9572
SHA51235d9459254824a051d94f3eba1151e49a8919a924c7a32ba2a6d3a40e29c0e43412e36d4629fe425112e434975367e12edda84f76b7325ac643f0a595d232e16
-
C:\Users\Admin\AppData\Local\Temp\.net\Cloudflare WARP\bJ0iwigOeLveb0qYWU7CnC9W0WB96G0=\PresentationNative_cor3.dll
Filesize1.2MB
MD5607039b9e741f29a5996d255ae7ea39f
SHA19ea6ef007bee59e05dd9dd994da2a56a8675a021
SHA256be81804da3077e93880b506e3f3061403ce6bf9ce50b9c0fcc63bb50b4352369
SHA5120766c98228f6ccc907674e3b9cebe64eee234138b8d3f00848433388ad609fa38d17a961227e683e92241b163aa30cf06708a458f2bc4d3704d5aa7a7182ca50
-
Filesize
37KB
MD5c597dbabc391076d8b46b013630e139e
SHA18ddb65493f9ba67d123f07e5efd018e024e5e1a4
SHA25658aa422a5f731d58fd2397e19706646160dd3cae1e6a75c60e918f26ace5a116
SHA512edeb9fd17204251b4bb4f9cb27c441f4af563edc1ab3cf8a46203286e90b146447dd35a1e76046d2520180493fcd37f66d4bd0c2a64e45bb5ec18f0318cfe59e
-
Filesize
501KB
MD579d36f854e69d96831900896f1fbf37f
SHA145a5925cd560d5ed0a46e93e34de99d7f749a52b
SHA256fcf0603193be0b8c576ec326d6b1ad648cbfec5edef31c6649b31ce37335efbf
SHA5129e401338bc7196c0595099a44d8df5ca24e2691aa2bfae4457106aac4003c119d57f8f2a276689ab3984d24dcfd48ead88c544cb5205af531810f8e274f4ae88
-
Filesize
15KB
MD5526d309cf201e07fd8f57e93c1721e90
SHA14163868aef223f6dfd6bcf81df81d2f1579e8a64
SHA256aab7d3d7caf3bd91f7d1af666cb147c432348060b14e14fdf2b57a415cc4cc16
SHA5128c69d50c8842189d397fdd430eef8785c9a7ddb7f38cc451ff1f33f39a2f61683eb79ed75cf796e287c1970c93e55714658673dc663a1aa1cbcb6a7c25014981
-
Filesize
21KB
MD5e741e1de9e2ddd5d7c54cd8db93a8a1c
SHA15f87db8d4405af97acda2b12e01f55186fcd8015
SHA25606a1ab4342d09f0fb53a8811c8d7c0ad12c7aaf0b35665a353f787381e359128
SHA512721f637d228793b3fd16ab8713b699e4ace1181f8f677a829b64ba14cd9cac5d04462042e6a588018a7fc236e5538e70c464f1d215a9005c3e47e414b6f25718
-
Filesize
127KB
MD593394d2866590fb66759f5f0263453f2
SHA12f0903d4b21a0231add1b4cd02e25c7c4974da84
SHA2565c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b
SHA512f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622
-
Filesize
64KB
MD568808e359d618c353331ac6bc2d2dc92
SHA1b0ddcf33154795abca74be6f19be132aa37af363
SHA256489cb1c69fdd5ff1c2545a7e6c4fa7eaf1262c9faaf7187d208220fb552faa64
SHA5123746eaa5ee272075f9730470db65aaeb14051877a0ab7b2c696ed065b04dc80c978e6c8fc829fe39a3cc8151f6cce3c73ba8fdc34512aa36523a879b8b1dcb85
-
Filesize
256KB
MD51ba526364f76e3bccceb5d7effa183a6
SHA1afdf602189fef9cb7b030ab06bcab838392e06f9
SHA25658ee8245ec3715799e39e6fd570dd90acf1b6b3d2f590e952927e5212446bdfd
SHA5128021233731e5a645e10c3aa042365df62f20829be3d0b903d46dd15c00f38274fd6b246e9ba62c989b7d605b39508738c35cf10549fc767c11051a7778f43c8b
-
Filesize
1KB
MD501c01d040563a55e0fd31cc8daa5f155
SHA13c1c229703198f9772d7721357f1b90281917842
SHA25633d947c04a10e3aff3dca3b779393fa56ce5f02251c8cbae5076a125fdea081f
SHA5129c3f0cc17868479575090e1949e31a688b8c1cdfa56ac4a08cbe661466bb40ecfc94ea512dc4b64d5ff14a563f96f1e71c03b6eeacc42992455bd4f1c91f17d5
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
1.2MB
MD545bb71f2904db1fea79c8b201889a1b2
SHA17c23c903abb95414eb8ff99eeba57d349c51f2fb
SHA256981a45fc5266236f5f5f213627ed0889cdaef8489744d2ca4f05d2a22a7cb9dd
SHA51267825847fbc0a00b64435491530b128a38534a1218fd86b1df2e457796df7d76e167e769937218887851b6b996c127f1a89b8dd6f7b037c3b7d56886b05b93ff
-
Filesize
17.9MB
MD5b5d74fade9d50a3608c1f1bea84638d7
SHA1be3ff4b795b07af3cfa98b17410b38f3cdc95490
SHA256470917bcaafcd81ba3dabc4dd5ed101d0754d5ad363e6571ccf711dd859fb87e
SHA5125b1db3f8655bbe800e29c48c729e085e52e556967c86026a6697ca2c8938f0f250d45db617ab14f445c164b633987c5d10bbcfc43dee105416b523f80f955419
-
\??\Volume{5a066776-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f792c030-dacc-41a6-9a21-f039ef0f7b02}_OnDiskSnapshotProp
Filesize6KB
MD50bc41f3bdf7736799f4160b7f89b7beb
SHA1384b3639b735813982cb90a27fd5d83bcc6ecac4
SHA25601efa05b7cbb1abc6523d788935ffb2f39ad53ad7d5d3925d8be3511b1c94628
SHA5121183d9c4098fe4e319c4d7e0a2ec23eb2e7117d8194595b106e9407d8c829753f31fbe018ff7490b7b25e1d5290ce146955fe7e892055a054c0110ef6ecb80d5