c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0

Analysis

max time kernel
150s
max time network
134s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 04:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe
Size

288KB
MD5

72089e20c481a1ad56fa9433afa1f0f0
SHA1

c49444ced568c3ba3d049da43c6decae54ef046a
SHA256

c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0
SHA512

23f4d5b73e167562b628bae24a35466c4b1c2b2336264568ccc05f3aa189177c775a91f61995c44105a8680d62f22639a5d34e9eb4a8185e02d1a368cfb1d018
SSDEEP

3072:2xf02hqbJ1y4GNq5jz+/YiMaRzKMr36FfKl/9Ayye+v6dYoR0OqHOeXzN:MqHGoq/TMTMeW/9JD+wR0OqueDN

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
1788	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0mgr.exe
912	WaterMark.exe
960	WaterMark.exe
1228	WaterMarkmgr.exe
1428	WaterMark.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1112-61-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1112-64-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1112-72-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1788-80-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1228-95-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/912-98-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/912-102-0x0000000000120000-0x000000000014F000-memory.dmp	upx
behavioral1/memory/960-103-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1428-105-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/960-136-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1428-135-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/960-237-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 9 IoCs

pid	Process
1112	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe
1112	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe
1112	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe
1788	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0mgr.exe
1112	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe
1788	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0mgr.exe
912	WaterMark.exe
912	WaterMark.exe
1228	WaterMarkmgr.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	WaterMarkmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxF806.tmp	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxF816.tmp	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxFA66.tmp	WaterMarkmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0mgr.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
912	WaterMark.exe
912	WaterMark.exe
1428	WaterMark.exe
1428	WaterMark.exe
960	WaterMark.exe
960	WaterMark.exe
960	WaterMark.exe
960	WaterMark.exe
960	WaterMark.exe
960	WaterMark.exe
960	WaterMark.exe
960	WaterMark.exe
432	svchost.exe
1428	WaterMark.exe
1428	WaterMark.exe
1428	WaterMark.exe
1428	WaterMark.exe
912	WaterMark.exe
912	WaterMark.exe
912	WaterMark.exe
912	WaterMark.exe
1428	WaterMark.exe
1428	WaterMark.exe
912	WaterMark.exe
912	WaterMark.exe
432	svchost.exe
432	svchost.exe
432	svchost.exe
432	svchost.exe
432	svchost.exe
432	svchost.exe
432	svchost.exe
432	svchost.exe
432	svchost.exe
432	svchost.exe
432	svchost.exe
432	svchost.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	WaterMark.exe
Token: SeDebugPrivilege	1428	WaterMark.exe
Token: SeDebugPrivilege	960	WaterMark.exe
Token: SeDebugPrivilege	432	svchost.exe
Token: SeDebugPrivilege	2028	svchost.exe
Token: SeDebugPrivilege	960	WaterMark.exe
Token: SeDebugPrivilege	912	WaterMark.exe
Token: SeDebugPrivilege	320	svchost.exe
Token: SeDebugPrivilege	1428	WaterMark.exe
Token: SeDebugPrivilege	1608	svchost.exe
Token: SeDebugPrivilege	1908	svchost.exe

Suspicious use of UnmapMainImage 6 IoCs

pid	Process
1112	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe
1788	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0mgr.exe
960	WaterMark.exe
912	WaterMark.exe
1228	WaterMarkmgr.exe
1428	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1788	1112	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe	28
PID 1112 wrote to memory of 1788	1112	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe	28
PID 1112 wrote to memory of 1788	1112	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe	28
PID 1112 wrote to memory of 1788	1112	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe	28
PID 1112 wrote to memory of 912	1112	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe	29
PID 1112 wrote to memory of 912	1112	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe	29
PID 1112 wrote to memory of 912	1112	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe	29
PID 1112 wrote to memory of 912	1112	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe	29
PID 1788 wrote to memory of 960	1788	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0mgr.exe	30
PID 1788 wrote to memory of 960	1788	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0mgr.exe	30
PID 1788 wrote to memory of 960	1788	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0mgr.exe	30
PID 1788 wrote to memory of 960	1788	c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0mgr.exe	30
PID 912 wrote to memory of 1228	912	WaterMark.exe	31
PID 912 wrote to memory of 1228	912	WaterMark.exe	31
PID 912 wrote to memory of 1228	912	WaterMark.exe	31
PID 912 wrote to memory of 1228	912	WaterMark.exe	31
PID 1228 wrote to memory of 1428	1228	WaterMarkmgr.exe	33
PID 1228 wrote to memory of 1428	1228	WaterMarkmgr.exe	33
PID 1228 wrote to memory of 1428	1228	WaterMarkmgr.exe	33
PID 1228 wrote to memory of 1428	1228	WaterMarkmgr.exe	33
PID 1428 wrote to memory of 1608	1428	WaterMark.exe	34
PID 960 wrote to memory of 1088	960	WaterMark.exe	35
PID 912 wrote to memory of 320	912	WaterMark.exe	32
PID 960 wrote to memory of 1088	960	WaterMark.exe	35
PID 960 wrote to memory of 1088	960	WaterMark.exe	35
PID 960 wrote to memory of 1088	960	WaterMark.exe	35
PID 960 wrote to memory of 1088	960	WaterMark.exe	35
PID 960 wrote to memory of 1088	960	WaterMark.exe	35
PID 960 wrote to memory of 1088	960	WaterMark.exe	35
PID 960 wrote to memory of 1088	960	WaterMark.exe	35
PID 960 wrote to memory of 1088	960	WaterMark.exe	35
PID 960 wrote to memory of 1088	960	WaterMark.exe	35
PID 1428 wrote to memory of 1608	1428	WaterMark.exe	34
PID 1428 wrote to memory of 1608	1428	WaterMark.exe	34
PID 1428 wrote to memory of 1608	1428	WaterMark.exe	34
PID 1428 wrote to memory of 1608	1428	WaterMark.exe	34
PID 1428 wrote to memory of 1608	1428	WaterMark.exe	34
PID 1428 wrote to memory of 1608	1428	WaterMark.exe	34
PID 1428 wrote to memory of 1608	1428	WaterMark.exe	34
PID 1428 wrote to memory of 1608	1428	WaterMark.exe	34
PID 1428 wrote to memory of 1608	1428	WaterMark.exe	34
PID 912 wrote to memory of 320	912	WaterMark.exe	32
PID 912 wrote to memory of 320	912	WaterMark.exe	32
PID 912 wrote to memory of 320	912	WaterMark.exe	32
PID 912 wrote to memory of 320	912	WaterMark.exe	32
PID 912 wrote to memory of 320	912	WaterMark.exe	32
PID 912 wrote to memory of 320	912	WaterMark.exe	32
PID 912 wrote to memory of 320	912	WaterMark.exe	32
PID 912 wrote to memory of 320	912	WaterMark.exe	32
PID 912 wrote to memory of 320	912	WaterMark.exe	32
PID 960 wrote to memory of 432	960	WaterMark.exe	36
PID 960 wrote to memory of 432	960	WaterMark.exe	36
PID 960 wrote to memory of 432	960	WaterMark.exe	36
PID 960 wrote to memory of 432	960	WaterMark.exe	36
PID 960 wrote to memory of 432	960	WaterMark.exe	36
PID 960 wrote to memory of 432	960	WaterMark.exe	36
PID 960 wrote to memory of 432	960	WaterMark.exe	36
PID 960 wrote to memory of 432	960	WaterMark.exe	36
PID 960 wrote to memory of 432	960	WaterMark.exe	36
PID 960 wrote to memory of 432	960	WaterMark.exe	36
PID 432 wrote to memory of 260	432	svchost.exe	7
PID 432 wrote to memory of 260	432	svchost.exe	7
PID 432 wrote to memory of 260	432	svchost.exe	7
PID 432 wrote to memory of 260	432	svchost.exe	7

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:760
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1092
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:756
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1148
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1056
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:328
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:284
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:884
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:860
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:820
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:676
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe
  "C:\Users\Admin\AppData\Local\Temp\c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0mgr.exe
    C:\Users\Admin\AppData\Local\Temp\c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:960
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:1088
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:432
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
      "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:1228
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:1428
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:320
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2028

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1928

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2000

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
288KB

MD5
72089e20c481a1ad56fa9433afa1f0f0

SHA1
c49444ced568c3ba3d049da43c6decae54ef046a

SHA256
c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0

SHA512
23f4d5b73e167562b628bae24a35466c4b1c2b2336264568ccc05f3aa189177c775a91f61995c44105a8680d62f22639a5d34e9eb4a8185e02d1a368cfb1d018

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
288KB

MD5
72089e20c481a1ad56fa9433afa1f0f0

SHA1
c49444ced568c3ba3d049da43c6decae54ef046a

SHA256
c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0

SHA512
23f4d5b73e167562b628bae24a35466c4b1c2b2336264568ccc05f3aa189177c775a91f61995c44105a8680d62f22639a5d34e9eb4a8185e02d1a368cfb1d018

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
288KB

MD5
72089e20c481a1ad56fa9433afa1f0f0

SHA1
c49444ced568c3ba3d049da43c6decae54ef046a

SHA256
c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0

SHA512
23f4d5b73e167562b628bae24a35466c4b1c2b2336264568ccc05f3aa189177c775a91f61995c44105a8680d62f22639a5d34e9eb4a8185e02d1a368cfb1d018

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
288KB

MD5
72089e20c481a1ad56fa9433afa1f0f0

SHA1
c49444ced568c3ba3d049da43c6decae54ef046a

SHA256
c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0

SHA512
23f4d5b73e167562b628bae24a35466c4b1c2b2336264568ccc05f3aa189177c775a91f61995c44105a8680d62f22639a5d34e9eb4a8185e02d1a368cfb1d018

Download Submit
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
143KB

MD5
6d1e8fadd49e3e724e090e20d6e86d22

SHA1
ec0b0d91bd5639cd1b22ebee49e300f5d8efa561

SHA256
094277f8b282b8339ee9c2c2715a17c4838c61491f120176368df6b52f51072e

SHA512
1993b24986889260ea88f529445ea8cff02c29e140abca3950cf7e6627e3ec99a58e94b69258bb5ad94bca16f0fa8dd35a008805c944d85e335c105ae693882f

Download Submit
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
143KB

MD5
6d1e8fadd49e3e724e090e20d6e86d22

SHA1
ec0b0d91bd5639cd1b22ebee49e300f5d8efa561

SHA256
094277f8b282b8339ee9c2c2715a17c4838c61491f120176368df6b52f51072e

SHA512
1993b24986889260ea88f529445ea8cff02c29e140abca3950cf7e6627e3ec99a58e94b69258bb5ad94bca16f0fa8dd35a008805c944d85e335c105ae693882f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0mgr.exe

Filesize
143KB

MD5
6d1e8fadd49e3e724e090e20d6e86d22

SHA1
ec0b0d91bd5639cd1b22ebee49e300f5d8efa561

SHA256
094277f8b282b8339ee9c2c2715a17c4838c61491f120176368df6b52f51072e

SHA512
1993b24986889260ea88f529445ea8cff02c29e140abca3950cf7e6627e3ec99a58e94b69258bb5ad94bca16f0fa8dd35a008805c944d85e335c105ae693882f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0mgr.exe

Filesize
143KB

MD5
6d1e8fadd49e3e724e090e20d6e86d22

SHA1
ec0b0d91bd5639cd1b22ebee49e300f5d8efa561

SHA256
094277f8b282b8339ee9c2c2715a17c4838c61491f120176368df6b52f51072e

SHA512
1993b24986889260ea88f529445ea8cff02c29e140abca3950cf7e6627e3ec99a58e94b69258bb5ad94bca16f0fa8dd35a008805c944d85e335c105ae693882f

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
288KB

MD5
72089e20c481a1ad56fa9433afa1f0f0

SHA1
c49444ced568c3ba3d049da43c6decae54ef046a

SHA256
c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0

SHA512
23f4d5b73e167562b628bae24a35466c4b1c2b2336264568ccc05f3aa189177c775a91f61995c44105a8680d62f22639a5d34e9eb4a8185e02d1a368cfb1d018

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
288KB

MD5
72089e20c481a1ad56fa9433afa1f0f0

SHA1
c49444ced568c3ba3d049da43c6decae54ef046a

SHA256
c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0

SHA512
23f4d5b73e167562b628bae24a35466c4b1c2b2336264568ccc05f3aa189177c775a91f61995c44105a8680d62f22639a5d34e9eb4a8185e02d1a368cfb1d018

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
288KB

MD5
72089e20c481a1ad56fa9433afa1f0f0

SHA1
c49444ced568c3ba3d049da43c6decae54ef046a

SHA256
c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0

SHA512
23f4d5b73e167562b628bae24a35466c4b1c2b2336264568ccc05f3aa189177c775a91f61995c44105a8680d62f22639a5d34e9eb4a8185e02d1a368cfb1d018

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
288KB

MD5
72089e20c481a1ad56fa9433afa1f0f0

SHA1
c49444ced568c3ba3d049da43c6decae54ef046a

SHA256
c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0

SHA512
23f4d5b73e167562b628bae24a35466c4b1c2b2336264568ccc05f3aa189177c775a91f61995c44105a8680d62f22639a5d34e9eb4a8185e02d1a368cfb1d018

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
288KB

MD5
72089e20c481a1ad56fa9433afa1f0f0

SHA1
c49444ced568c3ba3d049da43c6decae54ef046a

SHA256
c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0

SHA512
23f4d5b73e167562b628bae24a35466c4b1c2b2336264568ccc05f3aa189177c775a91f61995c44105a8680d62f22639a5d34e9eb4a8185e02d1a368cfb1d018

Download Submit
\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
143KB

MD5
6d1e8fadd49e3e724e090e20d6e86d22

SHA1
ec0b0d91bd5639cd1b22ebee49e300f5d8efa561

SHA256
094277f8b282b8339ee9c2c2715a17c4838c61491f120176368df6b52f51072e

SHA512
1993b24986889260ea88f529445ea8cff02c29e140abca3950cf7e6627e3ec99a58e94b69258bb5ad94bca16f0fa8dd35a008805c944d85e335c105ae693882f

Download Submit
\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
143KB

MD5
6d1e8fadd49e3e724e090e20d6e86d22

SHA1
ec0b0d91bd5639cd1b22ebee49e300f5d8efa561

SHA256
094277f8b282b8339ee9c2c2715a17c4838c61491f120176368df6b52f51072e

SHA512
1993b24986889260ea88f529445ea8cff02c29e140abca3950cf7e6627e3ec99a58e94b69258bb5ad94bca16f0fa8dd35a008805c944d85e335c105ae693882f

Download Submit
\Users\Admin\AppData\Local\Temp\c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0mgr.exe

Filesize
143KB

MD5
6d1e8fadd49e3e724e090e20d6e86d22

SHA1
ec0b0d91bd5639cd1b22ebee49e300f5d8efa561

SHA256
094277f8b282b8339ee9c2c2715a17c4838c61491f120176368df6b52f51072e

SHA512
1993b24986889260ea88f529445ea8cff02c29e140abca3950cf7e6627e3ec99a58e94b69258bb5ad94bca16f0fa8dd35a008805c944d85e335c105ae693882f

Download Submit
\Users\Admin\AppData\Local\Temp\c92d71e425ca1072d85a03de563313ad5eed9044c855a925d4005dcc1b60e5c0mgr.exe

Filesize
143KB

MD5
6d1e8fadd49e3e724e090e20d6e86d22

SHA1
ec0b0d91bd5639cd1b22ebee49e300f5d8efa561

SHA256
094277f8b282b8339ee9c2c2715a17c4838c61491f120176368df6b52f51072e

SHA512
1993b24986889260ea88f529445ea8cff02c29e140abca3950cf7e6627e3ec99a58e94b69258bb5ad94bca16f0fa8dd35a008805c944d85e335c105ae693882f

Download Submit
memory/432-142-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/432-139-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/912-102-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download
memory/912-98-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/912-100-0x0000000000120000-0x000000000014F000-memory.dmp

Filesize
188KB

Download
memory/960-237-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/960-136-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/960-103-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1088-110-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1088-137-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1088-292-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1088-121-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1088-119-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1112-64-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1112-61-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1112-72-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1228-95-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1428-135-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1428-105-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1788-80-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download