Overview

overview

10

Static

static

f3b3e4ba7e...a7.exe

windows7-x64

8

f3b3e4ba7e...a7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2022 23:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7.exe

  • Size

    347KB

  • MD5

    4addbf039078b57a096cd968f050d900

  • SHA1

    33d03bac1abb334374234dc6adb1860201f7ba11

  • SHA256

    f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7

  • SHA512

    06c231f0975bd36c8c8759ee7cef81d7de1b9d04898b031b43572c7b2d8269c15f51d6837aaa25da09de76d9fbd31603438522e026278a7da7c654ebe2223212

  • SSDEEP

    6144:sqHGoq/TMMFIgLYW6E5vmCTucxSbnc1u/RfjZC9/dBd/LA5oERq:s4dNMFIkP5vBuVdBjgB/2q

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 9 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 18 IoCs
    evasiontrojan
  • Executes dropped EXE 10 IoCs
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 31 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of UnmapMainImage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:760
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
        PID:2820
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:3372
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:3444
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:3288
            • C:\Windows\system32\backgroundTaskHost.exe
              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
              1⤵
                PID:3852
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:4688
                • C:\Windows\System32\RuntimeBroker.exe
                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                  1⤵
                    PID:3732
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:3532
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                      1⤵
                        PID:3088
                      • C:\Windows\Explorer.EXE
                        C:\Windows\Explorer.EXE
                        1⤵
                          PID:600
                          • C:\Users\Admin\AppData\Local\Temp\f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7.exe
                            "C:\Users\Admin\AppData\Local\Temp\f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7.exe"
                            2⤵
                            • Modifies firewall policy service
                            • UAC bypass
                            • Windows security bypass
                            • Windows security modification
                            • Checks whether UAC is enabled
                            • Suspicious use of SetThreadContext
                            • Drops file in Program Files directory
                            • Drops file in Windows directory
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of UnmapMainImage
                            • Suspicious use of WriteProcessMemory
                            • System policy modification
                            PID:4576
                            • C:\Users\Admin\AppData\Local\Temp\f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7mgr.exe
                              C:\Users\Admin\AppData\Local\Temp\f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7mgr.exe
                              3⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Drops file in Program Files directory
                              • Suspicious use of UnmapMainImage
                              • Suspicious use of WriteProcessMemory
                              PID:4496
                              • C:\Users\Admin\AppData\Local\Temp\f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7mgr.exe
                                "C:\Users\Admin\AppData\Local\Temp\f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7mgr.exe"
                                4⤵
                                • Executes dropped EXE
                                PID:384
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 180
                                  5⤵
                                  • Program crash
                                  PID:2992
                              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                4⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • Drops file in Program Files directory
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of UnmapMainImage
                                • Suspicious use of WriteProcessMemory
                                PID:4816
                                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                  5⤵
                                  • Executes dropped EXE
                                  PID:4360
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 180
                                    6⤵
                                    • Program crash
                                    PID:3548
                                • C:\Windows\SysWOW64\svchost.exe
                                  C:\Windows\system32\svchost.exe
                                  5⤵
                                    PID:4300
                                  • C:\Program Files\Internet Explorer\iexplore.exe
                                    "C:\Program Files\Internet Explorer\iexplore.exe"
                                    5⤵
                                    • Modifies Internet Explorer settings
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SetWindowsHookEx
                                    PID:4772
                                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4772 CREDAT:17410 /prefetch:2
                                      6⤵
                                      • Modifies Internet Explorer settings
                                      • Suspicious use of SetWindowsHookEx
                                      PID:540
                                  • C:\Program Files\Internet Explorer\iexplore.exe
                                    "C:\Program Files\Internet Explorer\iexplore.exe"
                                    5⤵
                                    • Modifies Internet Explorer settings
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SetWindowsHookEx
                                    PID:852
                                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:852 CREDAT:17410 /prefetch:2
                                      6⤵
                                      • Modifies Internet Explorer settings
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2716
                              • C:\Users\Admin\AppData\Local\Temp\f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7.exe
                                "C:\Users\Admin\AppData\Local\Temp\f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7.exe"
                                3⤵
                                  PID:5028
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 180
                                    4⤵
                                    • Program crash
                                    PID:5004
                                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • Drops file in Program Files directory
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of UnmapMainImage
                                  • Suspicious use of WriteProcessMemory
                                  PID:4932
                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                    4⤵
                                    • Executes dropped EXE
                                    PID:4872
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 180
                                      5⤵
                                      • Program crash
                                      PID:260
                                  • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
                                    "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
                                    4⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • Drops file in Program Files directory
                                    • Suspicious use of UnmapMainImage
                                    • Suspicious use of WriteProcessMemory
                                    PID:2200
                                    • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                      5⤵
                                      • Modifies firewall policy service
                                      • UAC bypass
                                      • Windows security bypass
                                      • Executes dropped EXE
                                      • Windows security modification
                                      • Checks whether UAC is enabled
                                      • Enumerates connected drives
                                      • Suspicious use of SetThreadContext
                                      • Drops file in Program Files directory
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of UnmapMainImage
                                      • Suspicious use of WriteProcessMemory
                                      • System policy modification
                                      PID:112
                                      • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        PID:3360
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 180
                                          7⤵
                                          • Program crash
                                          PID:5112
                                      • C:\Windows\SysWOW64\svchost.exe
                                        C:\Windows\system32\svchost.exe
                                        6⤵
                                          PID:3352
                                        • C:\Program Files\Internet Explorer\iexplore.exe
                                          "C:\Program Files\Internet Explorer\iexplore.exe"
                                          6⤵
                                          • Modifies Internet Explorer settings
                                          PID:2924
                                        • C:\Program Files\Internet Explorer\iexplore.exe
                                          "C:\Program Files\Internet Explorer\iexplore.exe"
                                          6⤵
                                          • Modifies Internet Explorer settings
                                          PID:3556
                                    • C:\Windows\SysWOW64\svchost.exe
                                      C:\Windows\system32\svchost.exe
                                      4⤵
                                        PID:2484
                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                        "C:\Program Files\Internet Explorer\iexplore.exe"
                                        4⤵
                                        • Modifies Internet Explorer settings
                                        • Suspicious behavior: GetForegroundWindowSpam
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SetWindowsHookEx
                                        PID:996
                                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:996 CREDAT:17410 /prefetch:2
                                          5⤵
                                          • Modifies Internet Explorer settings
                                          • Suspicious use of SetWindowsHookEx
                                          PID:1588
                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                        "C:\Program Files\Internet Explorer\iexplore.exe"
                                        4⤵
                                        • Modifies Internet Explorer settings
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SetWindowsHookEx
                                        PID:3700
                                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3700 CREDAT:17410 /prefetch:2
                                          5⤵
                                          • Modifies firewall policy service
                                          • UAC bypass
                                          • Windows security bypass
                                          • Enumerates connected drives
                                          • Drops autorun.inf file
                                          • Drops file in Program Files directory
                                          • Modifies Internet Explorer settings
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of SetWindowsHookEx
                                          PID:2616
                                • C:\Windows\system32\taskhostw.exe
                                  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                  1⤵
                                    PID:2872
                                  • C:\Windows\system32\sihost.exe
                                    sihost.exe
                                    1⤵
                                      PID:2780
                                    • C:\Windows\system32\dwm.exe
                                      "dwm.exe"
                                      1⤵
                                        PID:1008
                                      • C:\Windows\system32\fontdrvhost.exe
                                        "fontdrvhost.exe"
                                        1⤵
                                          PID:768
                                        • C:\Windows\System32\RuntimeBroker.exe
                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                          1⤵
                                            PID:1960
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5028 -ip 5028
                                            1⤵
                                              PID:524
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 384 -ip 384
                                              1⤵
                                                PID:380
                                              • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
                                                "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
                                                1⤵
                                                • Executes dropped EXE
                                                PID:1864
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4360 -ip 4360
                                                1⤵
                                                  PID:4208
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1864 -ip 1864
                                                  1⤵
                                                    PID:4124
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4872 -ip 4872
                                                    1⤵
                                                      PID:4768
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3360 -ip 3360
                                                      1⤵
                                                        PID:3844

                                                      Network

                                                      MITRE ATT&CK Enterprise v6

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                        Filesize

                                                        347KB

                                                        MD5

                                                        4addbf039078b57a096cd968f050d900

                                                        SHA1

                                                        33d03bac1abb334374234dc6adb1860201f7ba11

                                                        SHA256

                                                        f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7

                                                        SHA512

                                                        06c231f0975bd36c8c8759ee7cef81d7de1b9d04898b031b43572c7b2d8269c15f51d6837aaa25da09de76d9fbd31603438522e026278a7da7c654ebe2223212

                                                        Download Submit

                                                      • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                        Filesize

                                                        347KB

                                                        MD5

                                                        4addbf039078b57a096cd968f050d900

                                                        SHA1

                                                        33d03bac1abb334374234dc6adb1860201f7ba11

                                                        SHA256

                                                        f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7

                                                        SHA512

                                                        06c231f0975bd36c8c8759ee7cef81d7de1b9d04898b031b43572c7b2d8269c15f51d6837aaa25da09de76d9fbd31603438522e026278a7da7c654ebe2223212

                                                        Download Submit

                                                      • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                        Filesize

                                                        347KB

                                                        MD5

                                                        4addbf039078b57a096cd968f050d900

                                                        SHA1

                                                        33d03bac1abb334374234dc6adb1860201f7ba11

                                                        SHA256

                                                        f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7

                                                        SHA512

                                                        06c231f0975bd36c8c8759ee7cef81d7de1b9d04898b031b43572c7b2d8269c15f51d6837aaa25da09de76d9fbd31603438522e026278a7da7c654ebe2223212

                                                        Download Submit

                                                      • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                        Filesize

                                                        347KB

                                                        MD5

                                                        4addbf039078b57a096cd968f050d900

                                                        SHA1

                                                        33d03bac1abb334374234dc6adb1860201f7ba11

                                                        SHA256

                                                        f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7

                                                        SHA512

                                                        06c231f0975bd36c8c8759ee7cef81d7de1b9d04898b031b43572c7b2d8269c15f51d6837aaa25da09de76d9fbd31603438522e026278a7da7c654ebe2223212

                                                        Download Submit

                                                      • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                        Filesize

                                                        347KB

                                                        MD5

                                                        4addbf039078b57a096cd968f050d900

                                                        SHA1

                                                        33d03bac1abb334374234dc6adb1860201f7ba11

                                                        SHA256

                                                        f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7

                                                        SHA512

                                                        06c231f0975bd36c8c8759ee7cef81d7de1b9d04898b031b43572c7b2d8269c15f51d6837aaa25da09de76d9fbd31603438522e026278a7da7c654ebe2223212

                                                        Download Submit

                                                      • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                        Filesize

                                                        347KB

                                                        MD5

                                                        4addbf039078b57a096cd968f050d900

                                                        SHA1

                                                        33d03bac1abb334374234dc6adb1860201f7ba11

                                                        SHA256

                                                        f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7

                                                        SHA512

                                                        06c231f0975bd36c8c8759ee7cef81d7de1b9d04898b031b43572c7b2d8269c15f51d6837aaa25da09de76d9fbd31603438522e026278a7da7c654ebe2223212

                                                        Download Submit

                                                      • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                        Filesize

                                                        347KB

                                                        MD5

                                                        4addbf039078b57a096cd968f050d900

                                                        SHA1

                                                        33d03bac1abb334374234dc6adb1860201f7ba11

                                                        SHA256

                                                        f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7

                                                        SHA512

                                                        06c231f0975bd36c8c8759ee7cef81d7de1b9d04898b031b43572c7b2d8269c15f51d6837aaa25da09de76d9fbd31603438522e026278a7da7c654ebe2223212

                                                        Download Submit

                                                      • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
                                                        Filesize

                                                        172KB

                                                        MD5

                                                        8c668c57fc827bde8cb462ce4d576663

                                                        SHA1

                                                        e0cdc29056293a0cdf5d0f9142ba58b5549f5465

                                                        SHA256

                                                        3b13ecbe0591455748f141e6faf53294a415de048bc5ac910057212a07789c32

                                                        SHA512

                                                        235d7d20418411b9491f7f05457bad85ea5d1541f559d3cd29677d72c94ce12c7a0e381ff2f4fde53d5b89e4559dfd4b8f41e2ba0f72ff28ef5fceb5d96180ab

                                                        Download Submit

                                                      • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
                                                        Filesize

                                                        172KB

                                                        MD5

                                                        8c668c57fc827bde8cb462ce4d576663

                                                        SHA1

                                                        e0cdc29056293a0cdf5d0f9142ba58b5549f5465

                                                        SHA256

                                                        3b13ecbe0591455748f141e6faf53294a415de048bc5ac910057212a07789c32

                                                        SHA512

                                                        235d7d20418411b9491f7f05457bad85ea5d1541f559d3cd29677d72c94ce12c7a0e381ff2f4fde53d5b89e4559dfd4b8f41e2ba0f72ff28ef5fceb5d96180ab

                                                        Download Submit

                                                      • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
                                                        Filesize

                                                        172KB

                                                        MD5

                                                        8c668c57fc827bde8cb462ce4d576663

                                                        SHA1

                                                        e0cdc29056293a0cdf5d0f9142ba58b5549f5465

                                                        SHA256

                                                        3b13ecbe0591455748f141e6faf53294a415de048bc5ac910057212a07789c32

                                                        SHA512

                                                        235d7d20418411b9491f7f05457bad85ea5d1541f559d3cd29677d72c94ce12c7a0e381ff2f4fde53d5b89e4559dfd4b8f41e2ba0f72ff28ef5fceb5d96180ab

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                        Filesize

                                                        471B

                                                        MD5

                                                        fceed7a5f76725fb398c6a91ff552899

                                                        SHA1

                                                        237aec000ae7c7c35a639664b1ad6c0d842a0749

                                                        SHA256

                                                        2888c66a6908f10474313b2fef31aeeff40cffe1bcbd19b84b29334ff6a71383

                                                        SHA512

                                                        adfba4e72523d38395c13122d6498d9b48d93b2967858f0208549e3830c9b47ee3e98249b98fe585aeeeffe491a6985a98c80a3be581abccf4239bad4d1cdef3

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                        Filesize

                                                        471B

                                                        MD5

                                                        fceed7a5f76725fb398c6a91ff552899

                                                        SHA1

                                                        237aec000ae7c7c35a639664b1ad6c0d842a0749

                                                        SHA256

                                                        2888c66a6908f10474313b2fef31aeeff40cffe1bcbd19b84b29334ff6a71383

                                                        SHA512

                                                        adfba4e72523d38395c13122d6498d9b48d93b2967858f0208549e3830c9b47ee3e98249b98fe585aeeeffe491a6985a98c80a3be581abccf4239bad4d1cdef3

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                        Filesize

                                                        471B

                                                        MD5

                                                        fceed7a5f76725fb398c6a91ff552899

                                                        SHA1

                                                        237aec000ae7c7c35a639664b1ad6c0d842a0749

                                                        SHA256

                                                        2888c66a6908f10474313b2fef31aeeff40cffe1bcbd19b84b29334ff6a71383

                                                        SHA512

                                                        adfba4e72523d38395c13122d6498d9b48d93b2967858f0208549e3830c9b47ee3e98249b98fe585aeeeffe491a6985a98c80a3be581abccf4239bad4d1cdef3

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                        Filesize

                                                        471B

                                                        MD5

                                                        fceed7a5f76725fb398c6a91ff552899

                                                        SHA1

                                                        237aec000ae7c7c35a639664b1ad6c0d842a0749

                                                        SHA256

                                                        2888c66a6908f10474313b2fef31aeeff40cffe1bcbd19b84b29334ff6a71383

                                                        SHA512

                                                        adfba4e72523d38395c13122d6498d9b48d93b2967858f0208549e3830c9b47ee3e98249b98fe585aeeeffe491a6985a98c80a3be581abccf4239bad4d1cdef3

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                        Filesize

                                                        404B

                                                        MD5

                                                        67d365f5db6c157eb0b650ed83881de9

                                                        SHA1

                                                        d82c459c32cba42a0f3dada08cfe1cad8ecb33d9

                                                        SHA256

                                                        f25a86baf4cd50521e81bdf21df3b9651ac3911c7423b0b6b9c989dcf3c9cd52

                                                        SHA512

                                                        87482a5e152c566cb44c07d984af399019bda370b183d012fe4188ed87147b0b2432d70f747ac176ace372566e9cf509a927c5fa63562ed970ccb9a2dfdc365a

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                        Filesize

                                                        404B

                                                        MD5

                                                        67d365f5db6c157eb0b650ed83881de9

                                                        SHA1

                                                        d82c459c32cba42a0f3dada08cfe1cad8ecb33d9

                                                        SHA256

                                                        f25a86baf4cd50521e81bdf21df3b9651ac3911c7423b0b6b9c989dcf3c9cd52

                                                        SHA512

                                                        87482a5e152c566cb44c07d984af399019bda370b183d012fe4188ed87147b0b2432d70f747ac176ace372566e9cf509a927c5fa63562ed970ccb9a2dfdc365a

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                        Filesize

                                                        404B

                                                        MD5

                                                        67d365f5db6c157eb0b650ed83881de9

                                                        SHA1

                                                        d82c459c32cba42a0f3dada08cfe1cad8ecb33d9

                                                        SHA256

                                                        f25a86baf4cd50521e81bdf21df3b9651ac3911c7423b0b6b9c989dcf3c9cd52

                                                        SHA512

                                                        87482a5e152c566cb44c07d984af399019bda370b183d012fe4188ed87147b0b2432d70f747ac176ace372566e9cf509a927c5fa63562ed970ccb9a2dfdc365a

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                        Filesize

                                                        404B

                                                        MD5

                                                        978eba8dfe08da901e3d21b909efb68c

                                                        SHA1

                                                        795e6554750499dbf9609282c8ee313ea8d52074

                                                        SHA256

                                                        ef4ae5d1c8623ac9e093640c8e50140886d1aeaacdd54ac5dd02a7161dbfacac

                                                        SHA512

                                                        24b67b4390dc40db943f8f341036362a60b5be715c71d8b8ca740c25973e2b8091df77f6fe0cf214a2d409e4e10602014ecf4356a74d796e4931d818867e4624

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                        Filesize

                                                        404B

                                                        MD5

                                                        978eba8dfe08da901e3d21b909efb68c

                                                        SHA1

                                                        795e6554750499dbf9609282c8ee313ea8d52074

                                                        SHA256

                                                        ef4ae5d1c8623ac9e093640c8e50140886d1aeaacdd54ac5dd02a7161dbfacac

                                                        SHA512

                                                        24b67b4390dc40db943f8f341036362a60b5be715c71d8b8ca740c25973e2b8091df77f6fe0cf214a2d409e4e10602014ecf4356a74d796e4931d818867e4624

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                        Filesize

                                                        404B

                                                        MD5

                                                        978eba8dfe08da901e3d21b909efb68c

                                                        SHA1

                                                        795e6554750499dbf9609282c8ee313ea8d52074

                                                        SHA256

                                                        ef4ae5d1c8623ac9e093640c8e50140886d1aeaacdd54ac5dd02a7161dbfacac

                                                        SHA512

                                                        24b67b4390dc40db943f8f341036362a60b5be715c71d8b8ca740c25973e2b8091df77f6fe0cf214a2d409e4e10602014ecf4356a74d796e4931d818867e4624

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0AD8AAD6-4909-11ED-B696-4AA92575F981}.dat
                                                        Filesize

                                                        5KB

                                                        MD5

                                                        9b88f2244d76eead30daf55c9c584aca

                                                        SHA1

                                                        8e7e4e7f448af7703b042d7b42bf0a42d64da7c9

                                                        SHA256

                                                        ec9386e38bc860ed2c16f919c2de9f6fedd33ca302fe6d29d6a7d0e8cb4c3d8c

                                                        SHA512

                                                        3653a4cf89fb578e0503a8d5117a20e87a3b8f94bd688af2b6bdefd3fe0cbe456bcad5ce8149436b135da190471d91d69bc1c40e078876d4d84edcebb417bdc2

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0ADD6C68-4909-11ED-B696-4AA92575F981}.dat
                                                        Filesize

                                                        5KB

                                                        MD5

                                                        92c1e564d4ea231ea9f7b1b27a72f021

                                                        SHA1

                                                        21f836353eb7d480dbd637c714379dcb6bb5a9bc

                                                        SHA256

                                                        20de38d81cb6a85ddabb52893e7c4cff4cd2b67fbfa698b297644266c31010ff

                                                        SHA512

                                                        ae2cfda87b790fde3be5a08bd8d576f7f1a9910f9f22577cdaac366f189d27ac46d1c225daf27b0be9d7e3a5b06658d7f8d4469d8964f2968b4992cb4126a875

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0ADD6C68-4909-11ED-B696-4AA92575F981}.dat
                                                        Filesize

                                                        5KB

                                                        MD5

                                                        92c1e564d4ea231ea9f7b1b27a72f021

                                                        SHA1

                                                        21f836353eb7d480dbd637c714379dcb6bb5a9bc

                                                        SHA256

                                                        20de38d81cb6a85ddabb52893e7c4cff4cd2b67fbfa698b297644266c31010ff

                                                        SHA512

                                                        ae2cfda87b790fde3be5a08bd8d576f7f1a9910f9f22577cdaac366f189d27ac46d1c225daf27b0be9d7e3a5b06658d7f8d4469d8964f2968b4992cb4126a875

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0AE492EC-4909-11ED-B696-4AA92575F981}.dat
                                                        Filesize

                                                        5KB

                                                        MD5

                                                        c25ec86d5117d79e7f311f246d52bdcf

                                                        SHA1

                                                        96ba7092889e102b966c0d1df56c59c99eba18a9

                                                        SHA256

                                                        0373768464f4ae6867290adbb98b78474f575f87222c87a60bf1dbcf0e6b8f6d

                                                        SHA512

                                                        677b63c918915ff0c955332f06f58baf7b6d5776eb99f48efabde01391fdd2910c6849d0c4cbb766a9891f9316c3e4f699c17efb6d54e1e257c85055df6fa115

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7mgr.exe
                                                        Filesize

                                                        172KB

                                                        MD5

                                                        8c668c57fc827bde8cb462ce4d576663

                                                        SHA1

                                                        e0cdc29056293a0cdf5d0f9142ba58b5549f5465

                                                        SHA256

                                                        3b13ecbe0591455748f141e6faf53294a415de048bc5ac910057212a07789c32

                                                        SHA512

                                                        235d7d20418411b9491f7f05457bad85ea5d1541f559d3cd29677d72c94ce12c7a0e381ff2f4fde53d5b89e4559dfd4b8f41e2ba0f72ff28ef5fceb5d96180ab

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7mgr.exe
                                                        Filesize

                                                        172KB

                                                        MD5

                                                        8c668c57fc827bde8cb462ce4d576663

                                                        SHA1

                                                        e0cdc29056293a0cdf5d0f9142ba58b5549f5465

                                                        SHA256

                                                        3b13ecbe0591455748f141e6faf53294a415de048bc5ac910057212a07789c32

                                                        SHA512

                                                        235d7d20418411b9491f7f05457bad85ea5d1541f559d3cd29677d72c94ce12c7a0e381ff2f4fde53d5b89e4559dfd4b8f41e2ba0f72ff28ef5fceb5d96180ab

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\f3b3e4ba7e399127fb40b58cbdf72f98b906fd43f0e3162898eaf03ab05eb5a7mgr.exe
                                                        Filesize

                                                        172KB

                                                        MD5

                                                        8c668c57fc827bde8cb462ce4d576663

                                                        SHA1

                                                        e0cdc29056293a0cdf5d0f9142ba58b5549f5465

                                                        SHA256

                                                        3b13ecbe0591455748f141e6faf53294a415de048bc5ac910057212a07789c32

                                                        SHA512

                                                        235d7d20418411b9491f7f05457bad85ea5d1541f559d3cd29677d72c94ce12c7a0e381ff2f4fde53d5b89e4559dfd4b8f41e2ba0f72ff28ef5fceb5d96180ab

                                                        Download Submit

                                                      • C:\Windows\SYSTEM.INI
                                                        Filesize

                                                        257B

                                                        MD5

                                                        9cb5395205555b48510c478c0206e2f4

                                                        SHA1

                                                        8838f903367e7a789a4c7cbe200b05a96d7fbd55

                                                        SHA256

                                                        2190cf94287b556a91e3acbb9a30f98a7de2cc61b3150697c1d5dfc6c87b8b6b

                                                        SHA512

                                                        8359ab22a183a547ddc2284a05d958c342d2b908e48ec1553c10e78a279c6f6eacb49ae5c9106c927d2ab6c0d19afcc1151fd46abaa51456851076f727fb7e59

                                                        Download Submit

                                                      • memory/112-221-0x0000000002F20000-0x0000000003FAE000-memory.dmp

                                                        Filesize

                                                        16.6MB

                                                        Download

                                                      • memory/112-210-0x0000000000400000-0x0000000000461000-memory.dmp

                                                        Filesize

                                                        388KB

                                                        Download

                                                      • memory/112-209-0x0000000000400000-0x0000000000461000-memory.dmp

                                                        Filesize

                                                        388KB

                                                        Download

                                                      • memory/112-208-0x0000000000400000-0x0000000000461000-memory.dmp

                                                        Filesize

                                                        388KB

                                                        Download

                                                      • memory/112-217-0x0000000002F20000-0x0000000003FAE000-memory.dmp

                                                        Filesize

                                                        16.6MB

                                                        Download

                                                      • memory/112-218-0x0000000000400000-0x0000000000461000-memory.dmp

                                                        Filesize

                                                        388KB

                                                        Download

                                                      • memory/112-207-0x0000000002F20000-0x0000000003FAE000-memory.dmp

                                                        Filesize

                                                        16.6MB

                                                        Download

                                                      • memory/112-219-0x0000000000400000-0x0000000000461000-memory.dmp

                                                        Filesize

                                                        388KB

                                                        Download

                                                      • memory/112-199-0x0000000002F20000-0x0000000003FAE000-memory.dmp

                                                        Filesize

                                                        16.6MB

                                                        Download

                                                      • memory/112-220-0x0000000000400000-0x0000000000421000-memory.dmp

                                                        Filesize

                                                        132KB

                                                        Download

                                                      • memory/384-172-0x0000000000400000-0x0000000000434E52-memory.dmp

                                                        Filesize

                                                        211KB

                                                        Download

                                                      • memory/2200-187-0x0000000000400000-0x0000000000434E52-memory.dmp

                                                        Filesize

                                                        211KB

                                                        Download

                                                      • memory/2200-193-0x0000000000400000-0x0000000000421000-memory.dmp

                                                        Filesize

                                                        132KB

                                                        Download

                                                      • memory/2200-176-0x0000000000400000-0x0000000000434E52-memory.dmp

                                                        Filesize

                                                        211KB

                                                        Download

                                                      • memory/2200-163-0x0000000000400000-0x0000000000434E52-memory.dmp

                                                        Filesize

                                                        211KB

                                                        Download

                                                      • memory/4496-155-0x0000000000400000-0x0000000000421000-memory.dmp

                                                        Filesize

                                                        132KB

                                                        Download

                                                      • memory/4576-132-0x0000000000400000-0x0000000000461000-memory.dmp

                                                        Filesize

                                                        388KB

                                                        Download

                                                      • memory/4576-166-0x00000000030F0000-0x000000000417E000-memory.dmp

                                                        Filesize

                                                        16.6MB

                                                        Download

                                                      • memory/4576-152-0x0000000000400000-0x0000000000421000-memory.dmp

                                                        Filesize

                                                        132KB

                                                        Download

                                                      • memory/4576-139-0x00000000030F0000-0x000000000417E000-memory.dmp

                                                        Filesize

                                                        16.6MB

                                                        Download

                                                      • memory/4576-143-0x0000000000400000-0x0000000000421000-memory.dmp

                                                        Filesize

                                                        132KB

                                                        Download

                                                      • memory/4576-146-0x0000000000400000-0x0000000000421000-memory.dmp

                                                        Filesize

                                                        132KB

                                                        Download

                                                      • memory/4816-184-0x0000000000400000-0x0000000000461000-memory.dmp

                                                        Filesize

                                                        388KB

                                                        Download

                                                      • memory/4816-181-0x0000000000400000-0x0000000000461000-memory.dmp

                                                        Filesize

                                                        388KB

                                                        Download

                                                      • memory/4816-189-0x0000000000400000-0x0000000000461000-memory.dmp

                                                        Filesize

                                                        388KB

                                                        Download

                                                      • memory/4816-216-0x0000000000400000-0x0000000000421000-memory.dmp

                                                        Filesize

                                                        132KB

                                                        Download

                                                      • memory/4816-161-0x0000000000400000-0x0000000000461000-memory.dmp

                                                        Filesize

                                                        388KB

                                                        Download

                                                      • memory/4932-179-0x0000000000400000-0x0000000000461000-memory.dmp

                                                        Filesize

                                                        388KB

                                                        Download

                                                      • memory/4932-215-0x0000000000400000-0x0000000000421000-memory.dmp

                                                        Filesize

                                                        132KB

                                                        Download

                                                      • memory/4932-183-0x0000000000400000-0x0000000000461000-memory.dmp

                                                        Filesize

                                                        388KB

                                                        Download

                                                      • memory/4932-186-0x0000000000400000-0x0000000000461000-memory.dmp

                                                        Filesize

                                                        388KB

                                                        Download

                                                      • memory/4932-188-0x0000000000400000-0x0000000000461000-memory.dmp

                                                        Filesize

                                                        388KB

                                                        Download

                                                      • memory/5028-168-0x0000000000400000-0x0000000000461000-memory.dmp

                                                        Filesize

                                                        388KB

                                                        Download