Malware Analysis Report

2025-08-11 01:05

Sample ID 240302-tvvw9sfc38
Target Cloudflare_WARP_Release-x64.msi
SHA256 960e275a907869b33fbf67b009436ed651b6e8361f25cdf1dc8fd2b3d8a86e0f
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

960e275a907869b33fbf67b009436ed651b6e8361f25cdf1dc8fd2b3d8a86e0f

Threat Level: Likely malicious

The file Cloudflare_WARP_Release-x64.msi was found to be: Likely malicious.

Malicious Activity Summary

persistence

Creates new service(s)

Blocklisted process makes network request

Enumerates connected drives

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Executes dropped EXE

Loads dropped DLL

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:23

Reported

2024-03-02 16:30

Platform

win10v2004-20240226-en

Max time kernel

390s

Max time network

270s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Cloudflare_WARP_Release-x64.msi

Signatures

Creates new service(s)

persistence

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Cloudflare\Cloudflare WARP\warp-cli.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Cloudflare\Cloudflare WARP\warp-dex.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Cloudflare\Cloudflare WARP\warp-diag.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Cloudflare\Cloudflare WARP\wintun.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e57b6dc.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBB22.tmp-\Newtonsoft.Json.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIBB22.tmp-\CustomAction.config C:\Windows\system32\rundll32.exe N/A
File created C:\Windows\Installer\SourceHash{50B8AC35-9A36-4A30-8D87-C7F6D9A86C16} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC46A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICEED.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSID3FE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBB22.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBB22.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIC4C9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBB22.tmp-\Common.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSICEED.tmp-\Common.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\{50B8AC35-9A36-4A30-8D87-C7F6D9A86C16}\icon.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDF89.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICEED.tmp-\Warp.Installer.Actions.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSICEED.tmp-\Newtonsoft.Json.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSICEED.tmp-\CustomAction.config C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\e57b6dc.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57b6de.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBB22.tmp-\Warp.Installer.Actions.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIC6BE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICEED.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{50B8AC35-9A36-4A30-8D87-C7F6D9A86C16}\icon.ico C:\Windows\system32\msiexec.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007667065a040ee7130000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007667065a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007667065a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7667065a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007667065a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\53CA8B0563A903A4D8787C6F9D8AC661 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Media\2 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\52824FB156B79AC4FAFF7B5B1EEC724B\53CA8B0563A903A4D8787C6F9D8AC661 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\URL Protocol C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\DefaultIcon\ = "\"C:\\Program Files\\Cloudflare\\Cloudflare WARP\\Cloudflare WARP.exe\", 1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\Version = "402784443" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\ProductName = "Cloudflare WARP" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\ProductIcon = "C:\\Windows\\Installer\\{50B8AC35-9A36-4A30-8D87-C7F6D9A86C16}\\icon.ico" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\PackageName = "Cloudflare_WARP_Release-x64.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\ = "URL:com.cloudflare.warp Protocol" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\52824FB156B79AC4FAFF7B5B1EEC724B C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open\command\ = "\"C:\\Program Files\\Cloudflare\\Cloudflare WARP\\Cloudflare WARP.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\53CA8B0563A903A4D8787C6F9D8AC661\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\53CA8B0563A903A4D8787C6F9D8AC661\PackageCode = "AC33C90352B99FA42B3CE55505D20DBA" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3312 wrote to memory of 4124 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3312 wrote to memory of 4124 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3312 wrote to memory of 2732 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3312 wrote to memory of 2732 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2732 wrote to memory of 3856 N/A C:\Windows\System32\MsiExec.exe C:\Windows\system32\rundll32.exe
PID 2732 wrote to memory of 3856 N/A C:\Windows\System32\MsiExec.exe C:\Windows\system32\rundll32.exe
PID 3312 wrote to memory of 3352 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3312 wrote to memory of 3352 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3312 wrote to memory of 3352 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3312 wrote to memory of 2160 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3312 wrote to memory of 2160 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2160 wrote to memory of 3948 N/A C:\Windows\System32\MsiExec.exe C:\Windows\system32\rundll32.exe
PID 2160 wrote to memory of 3948 N/A C:\Windows\System32\MsiExec.exe C:\Windows\system32\rundll32.exe
PID 3948 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\sc.exe
PID 3948 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\sc.exe
PID 3948 wrote to memory of 908 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\sc.exe
PID 3948 wrote to memory of 908 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\sc.exe
PID 3948 wrote to memory of 216 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\sc.exe
PID 3948 wrote to memory of 216 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\sc.exe
PID 3948 wrote to memory of 3508 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\sc.exe
PID 3948 wrote to memory of 3508 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\sc.exe
PID 3948 wrote to memory of 3756 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\sc.exe
PID 3948 wrote to memory of 3756 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\sc.exe
PID 3312 wrote to memory of 792 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3312 wrote to memory of 792 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3312 wrote to memory of 792 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3312 wrote to memory of 4532 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe
PID 3312 wrote to memory of 4532 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Cloudflare_WARP_Release-x64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding A6038174CBD80828693794FC0E74F87B

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIBB22.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240630625 2 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.ReadCmdLineParams

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 283224DCE12A40A9EA9D8B02D63AF5A9

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding D02ECDF269CAFB0A77779ADBA7484E79 E Global\MSI0000

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSICEED.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240635734 32 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.InstallService

C:\Windows\system32\sc.exe

"sc.exe" create CloudflareWARP binPath= "\"C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe"\" displayname= "Cloudflare WARP" start= "auto"

C:\Windows\system32\sc.exe

"sc.exe" config CloudflareWARP depend= "wlansvc"

C:\Windows\system32\sc.exe

"sc.exe" failure CloudflareWARP reset= 86400 actions= restart/0/restart/1000/restart/5000

C:\Windows\system32\sc.exe

"sc.exe" failureflag CloudflareWARP 1

C:\Windows\system32\sc.exe

"sc.exe" config CloudflareWARP start=AUTO

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B6F3EF49E7AEB83CA0C8BB8564EED37D E Global\MSI0000

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

"C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI76b8b.LOG

MD5 c597dbabc391076d8b46b013630e139e
SHA1 8ddb65493f9ba67d123f07e5efd018e024e5e1a4
SHA256 58aa422a5f731d58fd2397e19706646160dd3cae1e6a75c60e918f26ace5a116
SHA512 edeb9fd17204251b4bb4f9cb27c441f4af563edc1ab3cf8a46203286e90b146447dd35a1e76046d2520180493fcd37f66d4bd0c2a64e45bb5ec18f0318cfe59e

\??\Volume{5a066776-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f792c030-dacc-41a6-9a21-f039ef0f7b02}_OnDiskSnapshotProp

MD5 0bc41f3bdf7736799f4160b7f89b7beb
SHA1 384b3639b735813982cb90a27fd5d83bcc6ecac4
SHA256 01efa05b7cbb1abc6523d788935ffb2f39ad53ad7d5d3925d8be3511b1c94628
SHA512 1183d9c4098fe4e319c4d7e0a2ec23eb2e7117d8194595b106e9407d8c829753f31fbe018ff7490b7b25e1d5290ce146955fe7e892055a054c0110ef6ecb80d5

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 b5d74fade9d50a3608c1f1bea84638d7
SHA1 be3ff4b795b07af3cfa98b17410b38f3cdc95490
SHA256 470917bcaafcd81ba3dabc4dd5ed101d0754d5ad363e6571ccf711dd859fb87e
SHA512 5b1db3f8655bbe800e29c48c729e085e52e556967c86026a6697ca2c8938f0f250d45db617ab14f445c164b633987c5d10bbcfc43dee105416b523f80f955419

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_83EE79D1FEE086A5198EA6E5637C35C8

MD5 79da8942eab812340192032f51c93e65
SHA1 6bef259c97f0ff2bf779f1278399123b9a94b264
SHA256 97010ba4a610397fbc97dfb11d0072f6b4a94f5b04aa793bcdec00f5ecedeeb9
SHA512 652d453b57f5e0411b1d3e05a6c0ca9a491c76d056700cd155b95ed095cec77dfaf7517a71deb1ace0b7e3ad6c88c5a5d53c29f10e38ae4dcb70665b7a44ba2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_83EE79D1FEE086A5198EA6E5637C35C8

MD5 7c5ada0bc065ae12ddf16c344739a3d8
SHA1 89ea1ea9699ff6a4058293a67b1d9109efada3e0
SHA256 d466ccf7efcca9ba3558da1db175bb1d6445d09a99801eec673046d1053bf92e
SHA512 74d9716067a17dd29118b1c8eb8c059143e9d151e9341b24bd95e6e5c24789e9ad707bac57aa14509cc63749a2ca244b054e63a44140bdfbe10d76330041e13c

C:\Windows\Installer\MSIBB22.tmp

MD5 79d36f854e69d96831900896f1fbf37f
SHA1 45a5925cd560d5ed0a46e93e34de99d7f749a52b
SHA256 fcf0603193be0b8c576ec326d6b1ad648cbfec5edef31c6649b31ce37335efbf
SHA512 9e401338bc7196c0595099a44d8df5ca24e2691aa2bfae4457106aac4003c119d57f8f2a276689ab3984d24dcfd48ead88c544cb5205af531810f8e274f4ae88

memory/3856-28-0x0000025DBD630000-0x0000025DBD65E000-memory.dmp

memory/3856-32-0x0000025DBD620000-0x0000025DBD62A000-memory.dmp

memory/3856-37-0x00007FF941C00000-0x00007FF9426C1000-memory.dmp

memory/3856-38-0x0000025DBD690000-0x0000025DBD6AA000-memory.dmp

memory/3856-36-0x0000025DBD660000-0x0000025DBD668000-memory.dmp

C:\Windows\Installer\MSIBB22.tmp-\Common.dll

MD5 526d309cf201e07fd8f57e93c1721e90
SHA1 4163868aef223f6dfd6bcf81df81d2f1579e8a64
SHA256 aab7d3d7caf3bd91f7d1af666cb147c432348060b14e14fdf2b57a415cc4cc16
SHA512 8c69d50c8842189d397fdd430eef8785c9a7ddb7f38cc451ff1f33f39a2f61683eb79ed75cf796e287c1970c93e55714658673dc663a1aa1cbcb6a7c25014981

C:\Windows\Installer\MSIBB22.tmp-\Warp.Installer.Actions.dll

MD5 e741e1de9e2ddd5d7c54cd8db93a8a1c
SHA1 5f87db8d4405af97acda2b12e01f55186fcd8015
SHA256 06a1ab4342d09f0fb53a8811c8d7c0ad12c7aaf0b35665a353f787381e359128
SHA512 721f637d228793b3fd16ab8713b699e4ace1181f8f677a829b64ba14cd9cac5d04462042e6a588018a7fc236e5538e70c464f1d215a9005c3e47e414b6f25718

memory/3856-40-0x0000025DD5D90000-0x0000025DD5DA0000-memory.dmp

memory/3856-39-0x0000025DD5D90000-0x0000025DD5DA0000-memory.dmp

memory/3856-42-0x0000025DD5D90000-0x0000025DD5DA0000-memory.dmp

memory/3856-41-0x0000025DD5D90000-0x0000025DD5DA0000-memory.dmp

memory/3856-53-0x0000025DD5D90000-0x0000025DD5DA0000-memory.dmp

memory/3856-54-0x00007FF941C00000-0x00007FF9426C1000-memory.dmp

C:\Windows\Installer\MSIC4C9.tmp

MD5 93394d2866590fb66759f5f0263453f2
SHA1 2f0903d4b21a0231add1b4cd02e25c7c4974da84
SHA256 5c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b
SHA512 f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622

C:\Windows\Installer\MSICEED.tmp

MD5 68808e359d618c353331ac6bc2d2dc92
SHA1 b0ddcf33154795abca74be6f19be132aa37af363
SHA256 489cb1c69fdd5ff1c2545a7e6c4fa7eaf1262c9faaf7187d208220fb552faa64
SHA512 3746eaa5ee272075f9730470db65aaeb14051877a0ab7b2c696ed065b04dc80c978e6c8fc829fe39a3cc8151f6cce3c73ba8fdc34512aa36523a879b8b1dcb85

C:\Windows\Installer\MSICEED.tmp

MD5 1ba526364f76e3bccceb5d7effa183a6
SHA1 afdf602189fef9cb7b030ab06bcab838392e06f9
SHA256 58ee8245ec3715799e39e6fd570dd90acf1b6b3d2f590e952927e5212446bdfd
SHA512 8021233731e5a645e10c3aa042365df62f20829be3d0b903d46dd15c00f38274fd6b246e9ba62c989b7d605b39508738c35cf10549fc767c11051a7778f43c8b

C:\Windows\Installer\MSICEED.tmp-\CustomAction.config

MD5 01c01d040563a55e0fd31cc8daa5f155
SHA1 3c1c229703198f9772d7721357f1b90281917842
SHA256 33d947c04a10e3aff3dca3b779393fa56ce5f02251c8cbae5076a125fdea081f
SHA512 9c3f0cc17868479575090e1949e31a688b8c1cdfa56ac4a08cbe661466bb40ecfc94ea512dc4b64d5ff14a563f96f1e71c03b6eeacc42992455bd4f1c91f17d5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

MD5 5727da8319619d065c7a43f9a7322529
SHA1 aacdde2f71d8c9f3993614bfed0d5ce754c2138f
SHA256 ab68e7ac87c905042b3ff21ea1e50b1eb48666b8e4834fd42c51295e879a9572
SHA512 35d9459254824a051d94f3eba1151e49a8919a924c7a32ba2a6d3a40e29c0e43412e36d4629fe425112e434975367e12edda84f76b7325ac643f0a595d232e16

C:\Windows\Installer\MSICEED.tmp-\Microsoft.Deployment.WindowsInstaller.dll

MD5 1a5caea6734fdd07caa514c3f3fb75da
SHA1 f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256 cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512 a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

memory/3948-93-0x00007FF941C00000-0x00007FF9426C1000-memory.dmp

memory/3948-94-0x00000230BBFF0000-0x00000230BC000000-memory.dmp

memory/3948-96-0x00000230BBFF0000-0x00000230BC000000-memory.dmp

memory/3948-97-0x00000230BBFF0000-0x00000230BC000000-memory.dmp

memory/3948-107-0x00007FF941C00000-0x00007FF9426C1000-memory.dmp

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

MD5 9e5be2687a33121e4173071d85a026b0
SHA1 79f9ed0223f031161e30fa00cff61a60794bfa43
SHA256 da93d9ca11813241397081a7792da8ca207a192535f3a1e2b79e4615fa1907ad
SHA512 1d7c1ca9b5d4bf141c5fc05e7f5c50277246215a3de99500f95549ae295559ef0985ddda744fba01f3dc3f295a846b04134f0e043192ac0818c02d04c0e91b85

C:\Config.Msi\e57b6dd.rbs

MD5 19376049801c81927f140403795c6fd5
SHA1 08b46dbea5601f0b930befd9b11197f98ee70d27
SHA256 bc38f263476166de1a5ea435c821bd8c3619cd7c208786d646eb7c988fd31df7
SHA512 da7ef984931c0d3d4296403f2d6cb173f2dbdbf40cad2f124b2fde5bf9359c8b92a98dfab0214e3ff6c4411eafb9b69124c3dc783d6bbc211d4690e81c4ced5d

C:\Windows\Installer\MSIDF89.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

MD5 91a04aec0e41b4d631cb576b6e5845c3
SHA1 2bcff6bf6a827e058ed5cc546795f032e8575f00
SHA256 a99de562609f1c0aa5d024323008b3c2c1ceffeb0b7b9438155d1fc425dcd8f5
SHA512 7cdecc33e5918a94ead71f006bd33a9e101a78522a479727f58c21fbc1ca9fd493f616835c30dc62918d27c8ff5d398cd4023fa76eab8f5974e150ba2717e02e

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

MD5 527e01967ea4fbd85cb806c809675426
SHA1 acfa0a26cdfb1bd5271e2d96a6e1fbe4123a47ba
SHA256 c9d3811f5727e79d635f32e4366a14e60388b5f51675091995ee11f4832d1188
SHA512 bd1eed7374f8968dbf867ac368fef0501afe0036235c062120ae23969dc790b63b1ac1ff9285ac13850eb6dcf07277b52d72497d9a84fcf2d5d801ddd1a4ba4d

C:\Windows\Installer\e57b6dc.msi

MD5 45bb71f2904db1fea79c8b201889a1b2
SHA1 7c23c903abb95414eb8ff99eeba57d349c51f2fb
SHA256 981a45fc5266236f5f5f213627ed0889cdaef8489744d2ca4f05d2a22a7cb9dd
SHA512 67825847fbc0a00b64435491530b128a38534a1218fd86b1df2e457796df7d76e167e769937218887851b6b996c127f1a89b8dd6f7b037c3b7d56886b05b93ff

memory/4532-151-0x0000000180000000-0x0000000180A25000-memory.dmp

memory/4532-154-0x000001F120C60000-0x000001F12103D000-memory.dmp

memory/4532-157-0x00007FF7EDA20000-0x00007FF7EE393000-memory.dmp

memory/4532-158-0x000001F120910000-0x000001F120992000-memory.dmp

memory/4532-161-0x000001F1000C0000-0x000001F100107000-memory.dmp

memory/4532-164-0x000001F100090000-0x000001F1000A2000-memory.dmp

memory/4532-167-0x000001F121FD0000-0x000001F122F58000-memory.dmp

memory/4532-170-0x000001F121040000-0x000001F121268000-memory.dmp

memory/4532-173-0x000001F121270000-0x000001F1213CE000-memory.dmp

memory/4532-176-0x000001F100060000-0x000001F10008A000-memory.dmp

memory/4532-179-0x000001F100150000-0x000001F100163000-memory.dmp

memory/4532-182-0x000001F100130000-0x000001F100137000-memory.dmp

memory/4532-185-0x000001F100170000-0x000001F1001B0000-memory.dmp

memory/4532-188-0x000001F1213D0000-0x000001F1215F3000-memory.dmp

memory/4532-194-0x000001F1208B0000-0x000001F1208B9000-memory.dmp

memory/4532-197-0x000001F1209A0000-0x000001F1209DE000-memory.dmp

memory/4532-191-0x000001F100120000-0x000001F100125000-memory.dmp

memory/4532-203-0x000001F1208E0000-0x000001F1208EE000-memory.dmp

memory/4532-200-0x000001F100110000-0x000001F100118000-memory.dmp

memory/4532-209-0x000001F120900000-0x000001F12090B000-memory.dmp

memory/4532-206-0x000001F1208C0000-0x000001F1208D4000-memory.dmp

memory/4532-212-0x000001F121600000-0x000001F121644000-memory.dmp

memory/4532-215-0x000001F124970000-0x000001F1251B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.net\Cloudflare WARP\bJ0iwigOeLveb0qYWU7CnC9W0WB96G0=\PresentationNative_cor3.dll

MD5 607039b9e741f29a5996d255ae7ea39f
SHA1 9ea6ef007bee59e05dd9dd994da2a56a8675a021
SHA256 be81804da3077e93880b506e3f3061403ce6bf9ce50b9c0fcc63bb50b4352369
SHA512 0766c98228f6ccc907674e3b9cebe64eee234138b8d3f00848433388ad609fa38d17a961227e683e92241b163aa30cf06708a458f2bc4d3704d5aa7a7182ca50

C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.dll

MD5 074005c6fad60027e985a510728a9d4f
SHA1 c5079d80b7e4aa603e16fd6f6d4214f5381d5ee7
SHA256 1ccf83e0e4ec5ed048c552601d9844f9136cecad6294f7456a278694cf83919c
SHA512 74059bb12f7146dfc2b5d5616b99db46ef9f70a17a3056bd9b08923de64f429c04e611352f013319ecf004a76c9e7a2abcac6d79f4210f63122163be21d34df4

memory/4532-417-0x00007FF7EDA20000-0x00007FF7EE393000-memory.dmp

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

MD5 052d99adcc3bb6c1ef8dc601b1ea6b4c
SHA1 ea827a69f6b4a56ae9d175e73b57c0c20ee1a563
SHA256 18f1d2510920215c9d1a3b646fa02b555985363eb82dac6363071f455afc8105
SHA512 9d5e22268ec6757c13cc9f6aae6be2d998f28d1586a4f1a2e9edfce068f17a9ab30a9e851ec49e664a2ef84df1a08833deff7cd464e47c4d259fe536f5f2c63b

memory/3988-423-0x00007FF7EDA20000-0x00007FF7EE393000-memory.dmp

C:\Users\Admin\AppData\Local\Cloudflare\ipc.log

MD5 4c7334a8758bd65a82018697b6995a34
SHA1 ba3ff0c67e7120f8fc4112c75c4d97288e15be97
SHA256 911bcbdb2cfd92de3088329ecadc293e94cc916d2c35f23a30988cd56a05cdf9
SHA512 85b1a663ff4e93cb980557a5d40b6b07eb18a9296e7f9aed55ef5050724fbe73a1f217138107a817551ebd4d9798773cb21174ad254b32f4bc302e0f3d417e4c

C:\Users\Admin\AppData\Local\Cloudflare\WARP-GUI.log

MD5 49fa2ba72f889e3fd3ad346a5e983353
SHA1 ce6d51ee682159d5ba298af0fd0c227b4e3e4350
SHA256 9dc2160dab146ea93936a0dc386cd8e6f5de733d7c98714698d199e2e0b58bbb
SHA512 d2e41611be82e7f6ef07ed6cfe7db404c2b35c37877300e87c98da4cfdbf403ef8442832b56359d9180402f17ef819239109a07f77c2c67728e3fe2ca32511cc

memory/3988-684-0x00007FF7EDA20000-0x00007FF7EE393000-memory.dmp

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

MD5 404ed677765eb60565f57ce7e3d1fac0
SHA1 20dbb178458d36085f21b64ed879d73962dcf71c
SHA256 dee0d6304e3f1c3378b9a30a1fb29791fbaae8c4980ed0b326d0b1d4f501d991
SHA512 54429ec0caa13348a2fc094703a8a77bac7d5acc3fb4bd00c7cd6e6fa49b643700af556988e2220635690e2afb5f5a088cf605d3e964861f087b88fc1813fcd8

memory/3780-695-0x00007FF7EDA20000-0x00007FF7EE393000-memory.dmp

C:\Users\Admin\AppData\Local\Cloudflare\WARP-GUI.log

MD5 08a94c8b9cc4be52551f63aff78fc3d2
SHA1 ad6833dcba98cb7ea3af5037145027529adcf6ba
SHA256 41bb00b06b23630e97d801aa48a2f641231ef58da24308734109ef277dc8e27c
SHA512 0d8faa35a01632a2a192abdf3f8748ad3a9e38606e2ebeb265eec9444e82fcfa140b4663915429970406387afa5cad2e8fa15a2b763dbc073dce80ea623cdb4c

C:\Users\Admin\AppData\Local\Cloudflare\ipc.log

MD5 a5d7ea5d69d807345e20c00fbb26ced6
SHA1 fb94603219ab3b41f1c52b760d38b6a6ec3bd149
SHA256 6e76b3c59e2076807e5fcf378ce24909c55ae8506d7703e13d3142d9c5af9498
SHA512 61fd1707e5c4dbe26eb004929b5cf9aa3bf9b620a2d609242126174f540df3c441151fa90b260748c14fcff818d493595d013792cc7715176564eaacf89b6678

memory/3780-954-0x00007FF7EDA20000-0x00007FF7EE393000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Cloudflare WARP.lnk

MD5 67532db9c2567d85027d363c635cbb1c
SHA1 b99379acfb1607d2cf6346917ef0d5c8222d558b
SHA256 e5f2d412e917673579d1145a10af1569de390196002632e3bc07aa73636120ef
SHA512 ba5c996786e5393fa92fa116fa97c20131b30a753f589fad4451a2d3267ef0721ddb4ca9cea03e11b4c991bbe6031048a3461e70c6f0232aed2d6eb6940d954a

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

MD5 fc7723cefe8e54ad65e4a251f5641746
SHA1 491cd17cdf9a87cf318565c1e94f53144f4aa93d
SHA256 f6d16dd579091efdb31ca57ade614cb0541214624ffeb3d7e2070b9a49779f5f
SHA512 0ae1cee60ce97369c8b8e2ed69348c0edc89387cdcfbb7b988f4bfb0088d39d863c3fd4115130bf201fe22aeb26bfa948da2a2163522309fcf2c1387b9370816

memory/2092-975-0x00007FF7EDA20000-0x00007FF7EE393000-memory.dmp

C:\Users\Admin\AppData\Local\Cloudflare\WARP-GUI.log

MD5 2a01c3b7eb7aa82c3f6ef4099acb617b
SHA1 5f46d49a1c22f5c33bd8ef1b69c6bbe48b942bd6
SHA256 ffece6a428fa50f9a122127adf6fb539bc6c99977968b97b9b7867111a0576a0
SHA512 9d3642029ade9dc7bb7fcef737e87cd0a56b4421b6cd94445cbba94139c3f966d1876c0931a957d3be75d1f2f7cd9909838e74f04025729cbda1d06b545f2c1a

C:\Users\Admin\AppData\Local\Cloudflare\ipc.log

MD5 be0cfaa22461784afde568570709d734
SHA1 1af77e47b59b347a13b069c9ec3cba8ef791b879
SHA256 bb1f8067aeaec4aef9d8be794a528f5180fcb4e4b56e365b0e0a49c6b1c4e57d
SHA512 763e65fbfd2a5bafaf4acfdd0266ee4ba238982a23584a806a736d8e566257253ca45072063fe30ad3ad5f801fc3754d29c2786a945622ff92c922603f3f6e76

memory/2092-1234-0x00007FF7EDA20000-0x00007FF7EE393000-memory.dmp

C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe

MD5 1cb2db574d6e87951933ea75a1d25bef
SHA1 e061d37bf3f24c74ab739bd9ef955fbf9b91276e
SHA256 b549e912c2788aa5c4038cae29e8b7ea27c9582090d2507cb1b8b13e24d0a96c
SHA512 3d403b17b20f9a4fb58dd66dd8d0b43c7fad4b69cdfab63fa27c7cb8b0e06248cabd5cdee696d2b1e386935efa3b6df30484dc09444985a86004e1f9088df29d

memory/4512-1241-0x00007FF7EDA20000-0x00007FF7EE393000-memory.dmp

C:\Users\Admin\AppData\Local\Cloudflare\WARP-GUI.log

MD5 2d9881645bcf5d7c0de7d25482557f3f
SHA1 5002563f819dd89a5a89861e6c5cf3c491b7fe90
SHA256 cc5411e0fbb30aec3b3c4236802058f5008763a3cfae51f1b4d5d0c852ba2561
SHA512 13616e400a9bc63bc54b7cac07725c740c2dd666fd8065403ff3911b76e676602a333df60e4c000b6bf0ff60b39b2b009aadc094d8d5ee690b0be99fa405ec0f

C:\Users\Admin\AppData\Local\Cloudflare\ipc.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.dll

MD5 75540461a6395f47678068cac830a620
SHA1 fac55997ceef2889e2ede2c2009ef2fde0e47979
SHA256 23ef418e6650fe3ff64958e754cc7084b3116f548e110a5fa4fb8de50466f733
SHA512 3504bf82348d7c1a4e1650909d69defa749a06f27c4b90b1e50e5dae5afe667a4c4884969981c730f6c57451f5edc0b6e910206bb728cc20c03010b08035261e

memory/4512-1501-0x00007FF7EDA20000-0x00007FF7EE393000-memory.dmp