540fb26438a66c6e9f0817a5e50296852070e48544e3d983517e5e4df741ccf8

Analysis

max time kernel
189s
max time network
196s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
09/08/2024, 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cloudflare_WARP_2024.6.473.0 (1).msi
Size

114.1MB
MD5

01863c2e21361ad5cb4861ee18567469
SHA1

990931cd7560b6b120b960c540f0dcfe16168bad
SHA256

540fb26438a66c6e9f0817a5e50296852070e48544e3d983517e5e4df741ccf8
SHA512

2e6ff67e543bb318300dc2bf8488389b808d0f6f30a5736a98e74f4d87a228710eb615653254c559c467e8f40d32971c05c815e0c0b0a5df196c557d9a219b34
SSDEEP

3145728:pbuxknn1N2OkHxHtEti8GX95/Dn5+tJM8rExAUSJStn:pb8kn10VhtEmzrnQ48rECPEt

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	3364	msiexec.exe
4	3364	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5108	sc.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Cloudflare\Cloudflare WARP\aws_lc_fips_0_12_8_rust_wrapper.dll	msiexec.exe
File created	C:\Program Files\Cloudflare\Cloudflare WARP\warp-dex.exe	msiexec.exe
File created	C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe	msiexec.exe
File created	C:\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.dll	msiexec.exe
File created	C:\Program Files\Cloudflare\Cloudflare WARP\wintun.dll	msiexec.exe
File created	C:\Program Files\Cloudflare\Cloudflare WARP\aws_lc_fips_0_12_8_crypto.dll	msiexec.exe
File created	C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe	msiexec.exe
File created	C:\Program Files\Cloudflare\Cloudflare WARP\warp-cli.exe	msiexec.exe
File created	C:\Program Files\Cloudflare\Cloudflare WARP\warp-diag.exe	msiexec.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICAE2.tmp-0\Common.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICAE2.tmp-0\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSID6FA.tmp	msiexec.exe
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\Installer\e58a6ab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58a6ab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBAB4.tmp-0\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICAE2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBAB4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBAB4.tmp-0\Common.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIB438.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBAB4.tmp-0\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICAE2.tmp-0\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe
File opened for modification	C:\Windows\Installer\MSIB8FC.tmp	msiexec.exe
File created	C:\Windows\Installer\{85DDC31D-E92E-4574-8582-8D5F3CA77928}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB61D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{85DDC31D-E92E-4574-8582-8D5F3CA77928}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBAB4.tmp-0\Warp.Installer.Actions.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIBAB4.tmp-0\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICAE2.tmp-0\Warp.Installer.Actions.dll	rundll32.exe
File created	C:\Windows\Installer\SourceHash{85DDC31D-E92E-4574-8582-8D5F3CA77928}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE6D.tmp	msiexec.exe
File created	C:\Windows\Installer\e58a6ad.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICAE2.tmp-0\CustomAction.config	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
5104	Cloudflare WARP.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4560	sc.exe
4552	sc.exe
492	sc.exe
2552	sc.exe
5108	sc.exe

Loads dropped DLL 18 IoCs

pid	Process
4968	MsiExec.exe
4968	MsiExec.exe
1272	MsiExec.exe
1420	rundll32.exe
1420	rundll32.exe
1420	rundll32.exe
1420	rundll32.exe
1420	rundll32.exe
1272	MsiExec.exe
984	rundll32.exe
984	rundll32.exe
984	rundll32.exe
984	rundll32.exe
984	rundll32.exe
4468	MsiExec.exe
4968	MsiExec.exe
5104	Cloudflare WARP.exe
5104	Cloudflare WARP.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\PackageCode = "73B56D4488D6F5C40A3072403203D1B1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\52824FB156B79AC4FAFF7B5B1EEC724B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\SourceList\Media\2 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\Version = "403046873"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\SourceList\Media\3 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open\command\ = "\"C:\\Program Files\\Cloudflare\\Cloudflare WARP\\Cloudflare WARP.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D13CDD58E29E47545828D8F5C37A9782	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D13CDD58E29E47545828D8F5C37A9782\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\DefaultIcon\ = "\"C:\\Program Files\\Cloudflare\\Cloudflare WARP\\Cloudflare WARP.exe\", 1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\SourceList\PackageName = "Cloudflare_WARP_2024.6.473.0 (1).msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\ProductName = "Cloudflare WARP"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\ProductIcon = "C:\\Windows\\Installer\\{85DDC31D-E92E-4574-8582-8D5F3CA77928}\\icon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\com.cloudflare.warp\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.cloudflare.warp\ = "URL:com.cloudflare.warp Protocol"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\52824FB156B79AC4FAFF7B5B1EEC724B\D13CDD58E29E47545828D8F5C37A9782	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D13CDD58E29E47545828D8F5C37A9782\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5104	Cloudflare WARP.exe
5104	Cloudflare WARP.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
628	Process not Found
628	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
628	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3364	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3364	msiexec.exe
Token: SeSecurityPrivilege	504	msiexec.exe
Token: SeCreateTokenPrivilege	3364	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3364	msiexec.exe
Token: SeLockMemoryPrivilege	3364	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3364	msiexec.exe
Token: SeMachineAccountPrivilege	3364	msiexec.exe
Token: SeTcbPrivilege	3364	msiexec.exe
Token: SeSecurityPrivilege	3364	msiexec.exe
Token: SeTakeOwnershipPrivilege	3364	msiexec.exe
Token: SeLoadDriverPrivilege	3364	msiexec.exe
Token: SeSystemProfilePrivilege	3364	msiexec.exe
Token: SeSystemtimePrivilege	3364	msiexec.exe
Token: SeProfSingleProcessPrivilege	3364	msiexec.exe
Token: SeIncBasePriorityPrivilege	3364	msiexec.exe
Token: SeCreatePagefilePrivilege	3364	msiexec.exe
Token: SeCreatePermanentPrivilege	3364	msiexec.exe
Token: SeBackupPrivilege	3364	msiexec.exe
Token: SeRestorePrivilege	3364	msiexec.exe
Token: SeShutdownPrivilege	3364	msiexec.exe
Token: SeDebugPrivilege	3364	msiexec.exe
Token: SeAuditPrivilege	3364	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3364	msiexec.exe
Token: SeChangeNotifyPrivilege	3364	msiexec.exe
Token: SeRemoteShutdownPrivilege	3364	msiexec.exe
Token: SeUndockPrivilege	3364	msiexec.exe
Token: SeSyncAgentPrivilege	3364	msiexec.exe
Token: SeEnableDelegationPrivilege	3364	msiexec.exe
Token: SeManageVolumePrivilege	3364	msiexec.exe
Token: SeImpersonatePrivilege	3364	msiexec.exe
Token: SeCreateGlobalPrivilege	3364	msiexec.exe
Token: SeBackupPrivilege	2264	vssvc.exe
Token: SeRestorePrivilege	2264	vssvc.exe
Token: SeAuditPrivilege	2264	vssvc.exe
Token: SeBackupPrivilege	504	msiexec.exe
Token: SeRestorePrivilege	504	msiexec.exe
Token: SeRestorePrivilege	504	msiexec.exe
Token: SeTakeOwnershipPrivilege	504	msiexec.exe
Token: SeBackupPrivilege	2440	srtasks.exe
Token: SeRestorePrivilege	2440	srtasks.exe
Token: SeSecurityPrivilege	2440	srtasks.exe
Token: SeTakeOwnershipPrivilege	2440	srtasks.exe
Token: SeRestorePrivilege	504	msiexec.exe
Token: SeTakeOwnershipPrivilege	504	msiexec.exe
Token: SeRestorePrivilege	504	msiexec.exe
Token: SeTakeOwnershipPrivilege	504	msiexec.exe
Token: SeRestorePrivilege	504	msiexec.exe
Token: SeTakeOwnershipPrivilege	504	msiexec.exe
Token: SeBackupPrivilege	2440	srtasks.exe
Token: SeRestorePrivilege	2440	srtasks.exe
Token: SeSecurityPrivilege	2440	srtasks.exe
Token: SeTakeOwnershipPrivilege	2440	srtasks.exe
Token: SeRestorePrivilege	504	msiexec.exe
Token: SeTakeOwnershipPrivilege	504	msiexec.exe
Token: SeRestorePrivilege	504	msiexec.exe
Token: SeTakeOwnershipPrivilege	504	msiexec.exe
Token: SeRestorePrivilege	504	msiexec.exe
Token: SeTakeOwnershipPrivilege	504	msiexec.exe
Token: SeRestorePrivilege	504	msiexec.exe
Token: SeTakeOwnershipPrivilege	504	msiexec.exe
Token: SeRestorePrivilege	504	msiexec.exe
Token: SeTakeOwnershipPrivilege	504	msiexec.exe
Token: SeRestorePrivilege	504	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3364	msiexec.exe
3364	msiexec.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 504 wrote to memory of 2440	504	msiexec.exe	75
PID 504 wrote to memory of 2440	504	msiexec.exe	75
PID 504 wrote to memory of 4968	504	msiexec.exe	77
PID 504 wrote to memory of 4968	504	msiexec.exe	77
PID 504 wrote to memory of 4968	504	msiexec.exe	77
PID 504 wrote to memory of 1272	504	msiexec.exe	78
PID 504 wrote to memory of 1272	504	msiexec.exe	78
PID 1272 wrote to memory of 1420	1272	MsiExec.exe	79
PID 1272 wrote to memory of 1420	1272	MsiExec.exe	79
PID 1272 wrote to memory of 984	1272	MsiExec.exe	80
PID 1272 wrote to memory of 984	1272	MsiExec.exe	80
PID 984 wrote to memory of 5108	984	rundll32.exe	81
PID 984 wrote to memory of 5108	984	rundll32.exe	81
PID 984 wrote to memory of 4560	984	rundll32.exe	83
PID 984 wrote to memory of 4560	984	rundll32.exe	83
PID 984 wrote to memory of 4552	984	rundll32.exe	85
PID 984 wrote to memory of 4552	984	rundll32.exe	85
PID 984 wrote to memory of 492	984	rundll32.exe	87
PID 984 wrote to memory of 492	984	rundll32.exe	87
PID 984 wrote to memory of 2552	984	rundll32.exe	89
PID 984 wrote to memory of 2552	984	rundll32.exe	89
PID 504 wrote to memory of 4468	504	msiexec.exe	91
PID 504 wrote to memory of 4468	504	msiexec.exe	91
PID 504 wrote to memory of 4468	504	msiexec.exe	91
PID 504 wrote to memory of 5104	504	msiexec.exe	93
PID 504 wrote to memory of 5104	504	msiexec.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Cloudflare_WARP_2024.6.473.0 (1).msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3364

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:504
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 794E796CC5B0ABE21AA4A2521280F091
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4968
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 3CD19B525C9F233CA1A6ED3F04162825 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIBAB4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240696156 25 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.ReadCmdLineParams
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:1420
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSICAE2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240700156 36 Warp.Installer.Actions!Warp.Installer.Actions.CustomActions.InstallService
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Windows\system32\sc.exe
      "sc.exe" create CloudflareWARP binPath= "\"C:\Program Files\Cloudflare\Cloudflare WARP\warp-svc.exe"\" displayname= "Cloudflare WARP" start= "auto"
      4⤵
      Network Service Discovery
      Launches sc.exe
      PID:5108
  - - C:\Windows\system32\sc.exe
      "sc.exe" config CloudflareWARP depend= "wlansvc"
      4⤵
      Launches sc.exe
      PID:4560
  - - C:\Windows\system32\sc.exe
      "sc.exe" failure CloudflareWARP reset= 86400 actions= restart/0/restart/1000/restart/5000
      4⤵
      Launches sc.exe
      PID:4552
  - - C:\Windows\system32\sc.exe
      "sc.exe" failureflag CloudflareWARP 1
      4⤵
      Launches sc.exe
      PID:492
  - - C:\Windows\system32\sc.exe
      "sc.exe" config CloudflareWARP start=AUTO
      4⤵
      Launches sc.exe
      PID:2552
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0CB02066E090E60C8458F36995F20750 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:4468
- C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe
  "C:\Program Files\Cloudflare\Cloudflare WARP\Cloudflare WARP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:5104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3656

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4468

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
PID:4092

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:4116

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3616

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:1572

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:660

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s fdPHost
1⤵
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58a6ac.rbs

Filesize
161KB

MD5
f5b587d1f9ffd2dcff9a5ac962ae7a46

SHA1
9b9980d2ef41ccaaf0fad910aa4dd2a4658de934

SHA256
82c6df5b7679f7b9434d4673c5810d39b3ad1bfe230cf2a9cb7b7f0f7bc32dc5

SHA512
767c2a2571225587c575dd9ef4e64287ce09675d26182091cd1680b1a3fb368832cc4258f490ba7beeda653de98a5a7a092dc7370017eb20c08fddd87db6676d

Download Submit
C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrc.idx

Filesize
698KB

MD5
ab391b589118c0770b9ebdf251a568bd

SHA1
fe637e499538ba06dca0863d636e4c3b8c82e46d

SHA256
ac96fcec54e5d7d58332f7eae04b29c02edf8f659aedb37d0485bea5efb4c2b1

SHA512
7fbc61b6d5890ee77e2b99cb207d7f19ff8cbf7a9c3c2dea6a7b69d0c75ce0edddde92322861bc762ed048039d444672fab5dce1d9da0188000c320ee14b9711

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
e33a85ef892402bbe9de308183ddc016

SHA1
5bc8ae61a5b21b112fedb5d6a3688e2f732ad8c5

SHA256
e330e9d3928dbeaee6f18c0c90d415c55fd68e49c3bb68aab6ad4f375c95786f

SHA512
590e3ebca2453ec3a682fe7d7a7a734ff07f6682cb8f6c4e8f2a6abee1d4a20ad38cc8c685e962809dd123f9c3c1cde4d366fdf657fec9514769978befb1bdf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_A1FD711B5F0A7924268EA06FE66230B3

Filesize
727B

MD5
fcc471021e670382f1b1bb53b99eba74

SHA1
9700ba515b06bfd118e68c8e9de3a427bd8199fd

SHA256
37e9df37d9ba22d191eb60564d9d7ac68ebed81757989a64d586c8571c7719f1

SHA512
2f6428c8823e7c092d2340645fbfd5a44329c49b12f8c30f8c002ebd2d94487b19c23bb4805c2dd31946dc10dc031c2506e0ca9bb296d32f2c0cac55b62c0619

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
c33c2bd00840c9e726faab692ced1189

SHA1
afc0855fdd4e32b3ab39b38cd05147c7de7a8269

SHA256
5eda0e13aa6955cb288e589570aaaa697b5c52047d09d4666b1797a717807aea

SHA512
06e3714b88fc7a3a9ae6a6ee3c14d520d850093057f999df2c4dd2fbb879e66271d1bdf6812adf3d615a4c85b0af428b0f7f553a277abf81256d144d49babb6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
2f28041132ab0ab743e80496a479078d

SHA1
4553efd223c0b6a0f2bfd44d4e617e8eaf35fe28

SHA256
c00d3eb6458b73d0088b6db976197161265b9b6cc410763a94123b8f2f047729

SHA512
878158a686bff2fe5327bfced7ff75b3778d2fc518a89ab800c9a4cbf3337b0b67552ca31da4ab9ea38ead8cf1387685a60eeb9aae110e37a00fce11a4beeb1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_A1FD711B5F0A7924268EA06FE66230B3

Filesize
404B

MD5
720d142cb5b2958f7cf75a156cc4ec18

SHA1
dd5bb4540f1b9cebfdc9148f0917d75752ef2cee

SHA256
0cb2ebc1cda7a05f9e0f17a7b4fa4c2cde812c786daaf38f7122ddf4ec7523e6

SHA512
c71f9411696925424ac8679275c8f810de93956a05dcc1043c82425aaede55cadb95f7448da3968945917a1c17f352e3eef80743bfa4f1d73a56a010d370b16e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
83f4ae344d71cc33c5fb76f0b33d1ebd

SHA1
e90dcdeed388d4800c21ded8697e5e751289329f

SHA256
f15e3a7193fa035ff2c30c86779fabd428f02ed99fec0a3bfec34d43d9cc4be3

SHA512
c0952a7a0d9c45baac1b29d6e61a592c94ab4082e63128c2309b76aae32593303b3df5ab56dfec8708f4aa5fcd96604ada5445897cc702cf6e33ba44744ac0e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

Filesize
737B

MD5
984af4b0e24936f98e682ce90d13b75f

SHA1
a092b1cd5f521c3177a77825c28fd682036045af

SHA256
bf6df02a6ae75a325f6492b7cab275a0c66093b8064a0ff73cf089a522940ae3

SHA512
956c9fb6d193de4d0c3eea4008eab7df770d198e53f1fa5cdcf09c0964f568148e4b2df15fbb72d3cd66bd17252848868c8553dc721b38acb74b122f7da659e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7ff30.LOG

Filesize
36KB

MD5
357544ef5971929ec543fa1921bc156c

SHA1
d4205ea24b38261ed5b3ce04b56da75728b2d151

SHA256
9b485d64a2b2fcb9ce2aa8e2384b21e3f4267847097fa04c789116b4766e0e36

SHA512
e84bcf99ec30084e3e3f455a5dc895d1765ee03bc54a4925ed997ebbe645b28d716abcab262ecb591b7e9ea883745ff63a711ec6a07e182b5c2b4ff81f5b04bd

Download Submit
C:\Windows\INF\netrasa.PNF

Filesize
22KB

MD5
80648b43d233468718d717d10187b68d

SHA1
a1736e8f0e408ce705722ce097d1adb24ebffc45

SHA256
8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

SHA512
eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

Download Submit
C:\Windows\INF\netsstpa.PNF

Filesize
6KB

MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit
C:\Windows\Installer\MSIB61D.tmp

Filesize
149KB

MD5
8eabeadadc6d03c9807787af28381b65

SHA1
b5015709fb98a8a849a0440c54c07c394e89bc59

SHA256
386a4209241d3424783e2456ef79988a1032a9f4ead891b5551253520e439ee0

SHA512
18ddec2d28640108faf5a4b9878cc0e6224fdc6ee26bd9fcfc2c972d0ea82a21468181c6fcc3413a99e2a9bc070e71d41c998528a324eee93ee1b59351b6f037

Download Submit
C:\Windows\Installer\MSIBAB4.tmp

Filesize
541KB

MD5
8e054107a11984b73585fc3a934ccabf

SHA1
6cae27c7b54e18ec17d8a4d18a7d13584ee867b9

SHA256
c7bd256984843e783198a39eed72cc15e33f9c848a540fe39923703b23f7a8de

SHA512
a1cf27cd06c940991e01db7454ef9c87143b89385fff06f8b92ad5d728979be8de4b7a60ffdabd4f1ceeda05ce6fe7868c3341b8576753dbec9f1b456b74ae8b

Download Submit
C:\Windows\Installer\MSICAE2.tmp-0\CustomAction.config

Filesize
1KB

MD5
01c01d040563a55e0fd31cc8daa5f155

SHA1
3c1c229703198f9772d7721357f1b90281917842

SHA256
33d947c04a10e3aff3dca3b779393fa56ce5f02251c8cbae5076a125fdea081f

SHA512
9c3f0cc17868479575090e1949e31a688b8c1cdfa56ac4a08cbe661466bb40ecfc94ea512dc4b64d5ff14a563f96f1e71c03b6eeacc42992455bd4f1c91f17d5

Download Submit
C:\Windows\Installer\MSICAE2.tmp-0\Microsoft.Deployment.WindowsInstaller.dll

Filesize
183KB

MD5
c2c83128276cc7c9cccc399bb5d76031

SHA1
776f9ca8175d95d0bc7c44847d60091bdf415041

SHA256
791da16b0df6956e88b04dab8b543b99dc2abd9af24aa25208fe5a0981e811b3

SHA512
c8651107f699daa299182dbe594da76cd794ba0d7661a483aaa932f0967a3af5761c8e8a3250cb501019d39b483d09427ac75aa7fa3a191a090e226d8d9fd515

Download Submit
C:\Windows\Installer\MSID6FA.tmp

Filesize
234KB

MD5
8edc1557e9fc7f25f89ad384d01bcec4

SHA1
98e64d7f92b8254fe3f258e3238b9e0f033b5a9c

SHA256
78860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5

SHA512
d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
26.0MB

MD5
95cc9ecb4a3fd6a8506dd1b3524101a3

SHA1
21c87c73a656153a80ffad377e556c2a29c9de51

SHA256
b3cadca3f9a227246e6e6fca67197441658b91467460b82b6da4418a290ebcf8

SHA512
3062c5b1b31a548bee40b8b170a21db49b567645c23dc1956ff811095a5ab35f9b4a634115eb7d1e08c03578ba35bb88ba037bfd2e60539fb4319f684531464b

Download Submit
\??\Volume{4f38e779-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1cb54fb4-b6cc-4f19-ad1e-bc43cfab0357}_OnDiskSnapshotProp

Filesize
5KB

MD5
1be882513aaae4a8a2b44ddcc4372047

SHA1
ea5e6f816d7a94998201805cce3d453441d3e80c

SHA256
1db2c05aae058e691e6d530bfe34ba8577442a445e40597d70b9dced2a27fb1b

SHA512
d50aa1b14959dea1234aaa6d4023c4e7501b0095437d9c3d173baf547d1a28efeb0659a36c56ecaae0256256862db376fa66fa9eefd108bbdbe00dcacf92db06

Download Submit
\Program Files\Cloudflare\Cloudflare WARP\warp_ipc.dll

Filesize
3.8MB

MD5
617f8cadf4b71441f4883e0756fdd2b6

SHA1
cf188421ac84324bdb620741127b22871551c366

SHA256
32182286e6da65401567fb4c6beffc6f416380f1551b7b2c84819f81ba7d9cdc

SHA512
087f5b7a11f9637214c568d0b7e63ca811a4ed046ce59c0d4431ca36de47afae7793c2c817147f882d0d4616f0bc773af68d08d0f48bbec090b10741ab50011c

Download Submit
\Users\Admin\AppData\Local\Temp\.net\Cloudflare WARP\Nhvob35yKExIi2OirJelAzO+2my1ITI=\PresentationNative_cor3.dll

Filesize
1.2MB

MD5
60dfddb86abd678448a8f021a49ac52a

SHA1
f23f2459d5f8dc31d0c01185e3d98a242aac3ecf

SHA256
390c7ab165434c2da59f620b363f14373c75ade83dbd7c0513974ad505953ba6

SHA512
7ed0652cd4134c6e6edafdf29036446ed44e93a8889f90268be879f2ee51736612b2798a6f17f4d29f4a9913fd1bd4b0bff05f6cdf6f31181ae03bcc9874a6c5

Download Submit
\Windows\Installer\MSIBAB4.tmp-0\Common.dll

Filesize
15KB

MD5
94199927496724bb196d93fd77ccfc5b

SHA1
be9bff9cb9b91955ddbb51dd1f633bb556dd2113

SHA256
83d72a63606ae703ce3f3231b9a0252c671eff927f6080561c4e03b49baeeecf

SHA512
24e7706130041950fac3227a0357d2a44ab5714d0c67af1e5f5a722e39df66b2577e49d4a37a718fee0aae82a64e84970049064fdb448d1f42c3f713c7a234d8

Download Submit
\Windows\Installer\MSIBAB4.tmp-0\Warp.Installer.Actions.dll

Filesize
22KB

MD5
81871387f0fd2774449df4b5055ed528

SHA1
a316b52bdf4b6fe2a7f80091aa4a569c44654ef0

SHA256
6a43867d66c777b2ef735252be79cb1624427aef959ad156ce545cd7dcbbf96b

SHA512
970c555d109b2c94b8882609518c79c6afbc4e8b84591a367e6e0cb895deb33bf706aec039476662de2a4f05a8d3760c79bbfbcc6bbb9fbb2f3ba66a417bd0c6

Download Submit
memory/1420-72-0x000001C41FC90000-0x000001C41FCAA000-memory.dmp

Filesize
104KB

Download
memory/1420-71-0x000001C41FC60000-0x000001C41FC68000-memory.dmp

Filesize
32KB

Download
memory/1420-67-0x000001C41FA70000-0x000001C41FA7A000-memory.dmp

Filesize
40KB

Download
memory/1420-60-0x000001C41FC30000-0x000001C41FC5E000-memory.dmp

Filesize
184KB

Download
memory/5104-198-0x00000221207E0000-0x0000022120827000-memory.dmp

Filesize
284KB

Download
memory/5104-230-0x0000022120950000-0x0000022120990000-memory.dmp

Filesize
256KB

Download
memory/5104-246-0x00000221209D0000-0x0000022120A0E000-memory.dmp

Filesize
248KB

Download
memory/5104-262-0x0000022120940000-0x000002212094B000-memory.dmp

Filesize
44KB

Download
memory/5104-258-0x0000022120A10000-0x0000022120A24000-memory.dmp

Filesize
80KB

Download
memory/5104-254-0x0000022120840000-0x000002212084E000-memory.dmp

Filesize
56KB

Download
memory/5104-250-0x0000022100090000-0x0000022100098000-memory.dmp

Filesize
32KB

Download
memory/5104-242-0x0000022120830000-0x0000022120839000-memory.dmp

Filesize
36KB

Download
memory/5104-238-0x0000022100100000-0x0000022100105000-memory.dmp

Filesize
20KB

Download
memory/5104-234-0x0000022121410000-0x0000022121633000-memory.dmp

Filesize
2.1MB

Download
memory/5104-226-0x0000022100070000-0x0000022100077000-memory.dmp

Filesize
28KB

Download
memory/5104-222-0x0000022120850000-0x0000022120863000-memory.dmp

Filesize
76KB

Download
memory/5104-218-0x00000221000B0000-0x00000221000DA000-memory.dmp

Filesize
168KB

Download
memory/5104-214-0x0000022120A70000-0x0000022120BCE000-memory.dmp

Filesize
1.4MB

Download
memory/5104-210-0x0000022120FB0000-0x00000221211D8000-memory.dmp

Filesize
2.2MB

Download
memory/5104-266-0x0000022121240000-0x0000022121284000-memory.dmp

Filesize
272KB

Download
memory/5104-274-0x0000022121320000-0x0000022121396000-memory.dmp

Filesize
472KB

Download
memory/5104-206-0x0000022121F50000-0x0000022122ED8000-memory.dmp

Filesize
15.5MB

Download
memory/5104-194-0x0000022120870000-0x00000221208F2000-memory.dmp

Filesize
520KB

Download
memory/5104-202-0x00000221000E0000-0x00000221000F2000-memory.dmp

Filesize
72KB

Download
memory/5104-190-0x0000022120BD0000-0x0000022120FAF000-memory.dmp

Filesize
3.9MB

Download
memory/5104-185-0x0000000180000000-0x0000000180A25000-memory.dmp

Filesize
10.1MB

Download