f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910

Analysis

max time kernel
151s
max time network
146s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe
Size

400KB
MD5

90596b38302fa3036a151c74a00c25c1
SHA1

d528bbbab87baafe88d8dba1cf048badfb3276ef
SHA256

f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910
SHA512

941684bbf6942968ee96073305a79b4ee21eb3e12f48500f799e632195954cddb7ceb0ebe5b12a8b98a4ef0ddf15d7a90c1337498a953060d6140d351da2243a
SSDEEP

3072:KR2xn3k0CdM1vabyzJYWqgT7a55Qhj0XVq+eeHs60IIeLSD4XM+TzHv/hTciu:KR2J0LS6VqZ5KE+eBcIiXM+n/5Bu

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
1824	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe
848	WaterMark.exe
1756	WaterMark.exe
2032	WaterMarkmgr.exe
1640	WaterMark.exe
1544	WaterMarkmgr.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1364-62-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1364-66-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1824-78-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1756-99-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/1756-107-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/848-111-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/1640-137-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2032-108-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2032-104-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1364-77-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/848-224-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 11 IoCs

pid	Process
1364	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe
1364	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe
1364	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe
1824	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe
1364	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe
1824	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe
848	WaterMark.exe
848	WaterMark.exe
2032	WaterMarkmgr.exe
1640	WaterMark.exe
1640	WaterMark.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px26C3.tmp	WaterMarkmgr.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svchost.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	WaterMarkmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px24C1.tmp	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px24D0.tmp	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1756	WaterMark.exe
1756	WaterMark.exe
848	WaterMark.exe
848	WaterMark.exe
848	WaterMark.exe
848	WaterMark.exe
848	WaterMark.exe
848	WaterMark.exe
1756	WaterMark.exe
1756	WaterMark.exe
1756	WaterMark.exe
1756	WaterMark.exe
848	WaterMark.exe
848	WaterMark.exe
1756	WaterMark.exe
1756	WaterMark.exe
1252	svchost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	WaterMark.exe
Token: SeDebugPrivilege	848	WaterMark.exe
Token: SeDebugPrivilege	1252	svchost.exe
Token: SeDebugPrivilege	1336	svchost.exe
Token: SeDebugPrivilege	1756	WaterMark.exe
Token: SeDebugPrivilege	848	WaterMark.exe
Token: SeDebugPrivilege	1764	svchost.exe

Suspicious use of UnmapMainImage 6 IoCs

pid	Process
1364	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe
1824	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe
1756	WaterMark.exe
848	WaterMark.exe
2032	WaterMarkmgr.exe
1640	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1824	1364	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe	19
PID 1364 wrote to memory of 1824	1364	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe	19
PID 1364 wrote to memory of 1824	1364	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe	19
PID 1364 wrote to memory of 1824	1364	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe	19
PID 1364 wrote to memory of 1756	1364	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe	26
PID 1364 wrote to memory of 1756	1364	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe	26
PID 1364 wrote to memory of 1756	1364	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe	26
PID 1364 wrote to memory of 1756	1364	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe	26
PID 1824 wrote to memory of 848	1824	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe	25
PID 1824 wrote to memory of 848	1824	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe	25
PID 1824 wrote to memory of 848	1824	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe	25
PID 1824 wrote to memory of 848	1824	f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe	25
PID 848 wrote to memory of 2032	848	WaterMark.exe	20
PID 848 wrote to memory of 2032	848	WaterMark.exe	20
PID 848 wrote to memory of 2032	848	WaterMark.exe	20
PID 848 wrote to memory of 2032	848	WaterMark.exe	20
PID 2032 wrote to memory of 1640	2032	WaterMarkmgr.exe	21
PID 2032 wrote to memory of 1640	2032	WaterMarkmgr.exe	21
PID 2032 wrote to memory of 1640	2032	WaterMarkmgr.exe	21
PID 2032 wrote to memory of 1640	2032	WaterMarkmgr.exe	21
PID 848 wrote to memory of 1764	848	WaterMark.exe	24
PID 1756 wrote to memory of 968	1756	WaterMark.exe	23
PID 1756 wrote to memory of 968	1756	WaterMark.exe	23
PID 1756 wrote to memory of 968	1756	WaterMark.exe	23
PID 1756 wrote to memory of 968	1756	WaterMark.exe	23
PID 1756 wrote to memory of 968	1756	WaterMark.exe	23
PID 1756 wrote to memory of 968	1756	WaterMark.exe	23
PID 1756 wrote to memory of 968	1756	WaterMark.exe	23
PID 1756 wrote to memory of 968	1756	WaterMark.exe	23
PID 1756 wrote to memory of 968	1756	WaterMark.exe	23
PID 1756 wrote to memory of 968	1756	WaterMark.exe	23
PID 848 wrote to memory of 1764	848	WaterMark.exe	24
PID 848 wrote to memory of 1764	848	WaterMark.exe	24
PID 848 wrote to memory of 1764	848	WaterMark.exe	24
PID 848 wrote to memory of 1764	848	WaterMark.exe	24
PID 848 wrote to memory of 1764	848	WaterMark.exe	24
PID 848 wrote to memory of 1764	848	WaterMark.exe	24
PID 848 wrote to memory of 1764	848	WaterMark.exe	24
PID 848 wrote to memory of 1764	848	WaterMark.exe	24
PID 848 wrote to memory of 1764	848	WaterMark.exe	24
PID 1640 wrote to memory of 1544	1640	WaterMark.exe	22
PID 1640 wrote to memory of 1544	1640	WaterMark.exe	22
PID 1640 wrote to memory of 1544	1640	WaterMark.exe	22
PID 1640 wrote to memory of 1544	1640	WaterMark.exe	22
PID 848 wrote to memory of 1252	848	WaterMark.exe	36
PID 1756 wrote to memory of 1336	1756	WaterMark.exe	37
PID 848 wrote to memory of 1252	848	WaterMark.exe	36
PID 848 wrote to memory of 1252	848	WaterMark.exe	36
PID 848 wrote to memory of 1252	848	WaterMark.exe	36
PID 848 wrote to memory of 1252	848	WaterMark.exe	36
PID 848 wrote to memory of 1252	848	WaterMark.exe	36
PID 848 wrote to memory of 1252	848	WaterMark.exe	36
PID 848 wrote to memory of 1252	848	WaterMark.exe	36
PID 848 wrote to memory of 1252	848	WaterMark.exe	36
PID 848 wrote to memory of 1252	848	WaterMark.exe	36
PID 1756 wrote to memory of 1336	1756	WaterMark.exe	37
PID 1756 wrote to memory of 1336	1756	WaterMark.exe	37
PID 1756 wrote to memory of 1336	1756	WaterMark.exe	37
PID 1756 wrote to memory of 1336	1756	WaterMark.exe	37
PID 1756 wrote to memory of 1336	1756	WaterMark.exe	37
PID 1756 wrote to memory of 1336	1756	WaterMark.exe	37
PID 1756 wrote to memory of 1336	1756	WaterMark.exe	37
PID 1756 wrote to memory of 1336	1756	WaterMark.exe	37
PID 1756 wrote to memory of 1336	1756	WaterMark.exe	37

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:240
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1660
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1040
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1120
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1084
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:296
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:868
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:840
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:804
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:748
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:664
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:588

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1820

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe
"C:\Users\Admin\AppData\Local\Temp\f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe
  C:\Users\Admin\AppData\Local\Temp\f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1252
- C:\Program Files (x86)\Microsoft\WaterMark.exe
  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Program Files (x86)\Microsoft\WaterMark.exe
  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
    "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
    3⤵
    - Executes dropped EXE
    PID:1544

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
400KB

MD5
90596b38302fa3036a151c74a00c25c1

SHA1
d528bbbab87baafe88d8dba1cf048badfb3276ef

SHA256
f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910

SHA512
941684bbf6942968ee96073305a79b4ee21eb3e12f48500f799e632195954cddb7ceb0ebe5b12a8b98a4ef0ddf15d7a90c1337498a953060d6140d351da2243a

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
400KB

MD5
90596b38302fa3036a151c74a00c25c1

SHA1
d528bbbab87baafe88d8dba1cf048badfb3276ef

SHA256
f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910

SHA512
941684bbf6942968ee96073305a79b4ee21eb3e12f48500f799e632195954cddb7ceb0ebe5b12a8b98a4ef0ddf15d7a90c1337498a953060d6140d351da2243a

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
400KB

MD5
90596b38302fa3036a151c74a00c25c1

SHA1
d528bbbab87baafe88d8dba1cf048badfb3276ef

SHA256
f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910

SHA512
941684bbf6942968ee96073305a79b4ee21eb3e12f48500f799e632195954cddb7ceb0ebe5b12a8b98a4ef0ddf15d7a90c1337498a953060d6140d351da2243a

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
400KB

MD5
90596b38302fa3036a151c74a00c25c1

SHA1
d528bbbab87baafe88d8dba1cf048badfb3276ef

SHA256
f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910

SHA512
941684bbf6942968ee96073305a79b4ee21eb3e12f48500f799e632195954cddb7ceb0ebe5b12a8b98a4ef0ddf15d7a90c1337498a953060d6140d351da2243a

Download Submit
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
199KB

MD5
88211332d4fc42a9cc876ec6a973af54

SHA1
4c373cd811d2947317865ead3804b31aa89d81b1

SHA256
0f7506b46152b82d0bfc2b82098f7635cfbedb96b7bb7899a0f9ac26983de8b5

SHA512
207e6c1674a06506feee83e02b13d6474bf142522d8638ed03a4d6d2748ace8d238c04785a6082ed56e69b696f92011185a4bae9aebe7e6c17aa644f9998f7ae

Download Submit
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
199KB

MD5
88211332d4fc42a9cc876ec6a973af54

SHA1
4c373cd811d2947317865ead3804b31aa89d81b1

SHA256
0f7506b46152b82d0bfc2b82098f7635cfbedb96b7bb7899a0f9ac26983de8b5

SHA512
207e6c1674a06506feee83e02b13d6474bf142522d8638ed03a4d6d2748ace8d238c04785a6082ed56e69b696f92011185a4bae9aebe7e6c17aa644f9998f7ae

Download Submit
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
199KB

MD5
88211332d4fc42a9cc876ec6a973af54

SHA1
4c373cd811d2947317865ead3804b31aa89d81b1

SHA256
0f7506b46152b82d0bfc2b82098f7635cfbedb96b7bb7899a0f9ac26983de8b5

SHA512
207e6c1674a06506feee83e02b13d6474bf142522d8638ed03a4d6d2748ace8d238c04785a6082ed56e69b696f92011185a4bae9aebe7e6c17aa644f9998f7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe

Filesize
199KB

MD5
88211332d4fc42a9cc876ec6a973af54

SHA1
4c373cd811d2947317865ead3804b31aa89d81b1

SHA256
0f7506b46152b82d0bfc2b82098f7635cfbedb96b7bb7899a0f9ac26983de8b5

SHA512
207e6c1674a06506feee83e02b13d6474bf142522d8638ed03a4d6d2748ace8d238c04785a6082ed56e69b696f92011185a4bae9aebe7e6c17aa644f9998f7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe

Filesize
199KB

MD5
88211332d4fc42a9cc876ec6a973af54

SHA1
4c373cd811d2947317865ead3804b31aa89d81b1

SHA256
0f7506b46152b82d0bfc2b82098f7635cfbedb96b7bb7899a0f9ac26983de8b5

SHA512
207e6c1674a06506feee83e02b13d6474bf142522d8638ed03a4d6d2748ace8d238c04785a6082ed56e69b696f92011185a4bae9aebe7e6c17aa644f9998f7ae

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
400KB

MD5
90596b38302fa3036a151c74a00c25c1

SHA1
d528bbbab87baafe88d8dba1cf048badfb3276ef

SHA256
f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910

SHA512
941684bbf6942968ee96073305a79b4ee21eb3e12f48500f799e632195954cddb7ceb0ebe5b12a8b98a4ef0ddf15d7a90c1337498a953060d6140d351da2243a

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
400KB

MD5
90596b38302fa3036a151c74a00c25c1

SHA1
d528bbbab87baafe88d8dba1cf048badfb3276ef

SHA256
f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910

SHA512
941684bbf6942968ee96073305a79b4ee21eb3e12f48500f799e632195954cddb7ceb0ebe5b12a8b98a4ef0ddf15d7a90c1337498a953060d6140d351da2243a

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
400KB

MD5
90596b38302fa3036a151c74a00c25c1

SHA1
d528bbbab87baafe88d8dba1cf048badfb3276ef

SHA256
f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910

SHA512
941684bbf6942968ee96073305a79b4ee21eb3e12f48500f799e632195954cddb7ceb0ebe5b12a8b98a4ef0ddf15d7a90c1337498a953060d6140d351da2243a

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
400KB

MD5
90596b38302fa3036a151c74a00c25c1

SHA1
d528bbbab87baafe88d8dba1cf048badfb3276ef

SHA256
f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910

SHA512
941684bbf6942968ee96073305a79b4ee21eb3e12f48500f799e632195954cddb7ceb0ebe5b12a8b98a4ef0ddf15d7a90c1337498a953060d6140d351da2243a

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
400KB

MD5
90596b38302fa3036a151c74a00c25c1

SHA1
d528bbbab87baafe88d8dba1cf048badfb3276ef

SHA256
f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910

SHA512
941684bbf6942968ee96073305a79b4ee21eb3e12f48500f799e632195954cddb7ceb0ebe5b12a8b98a4ef0ddf15d7a90c1337498a953060d6140d351da2243a

Download Submit
\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
199KB

MD5
88211332d4fc42a9cc876ec6a973af54

SHA1
4c373cd811d2947317865ead3804b31aa89d81b1

SHA256
0f7506b46152b82d0bfc2b82098f7635cfbedb96b7bb7899a0f9ac26983de8b5

SHA512
207e6c1674a06506feee83e02b13d6474bf142522d8638ed03a4d6d2748ace8d238c04785a6082ed56e69b696f92011185a4bae9aebe7e6c17aa644f9998f7ae

Download Submit
\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
199KB

MD5
88211332d4fc42a9cc876ec6a973af54

SHA1
4c373cd811d2947317865ead3804b31aa89d81b1

SHA256
0f7506b46152b82d0bfc2b82098f7635cfbedb96b7bb7899a0f9ac26983de8b5

SHA512
207e6c1674a06506feee83e02b13d6474bf142522d8638ed03a4d6d2748ace8d238c04785a6082ed56e69b696f92011185a4bae9aebe7e6c17aa644f9998f7ae

Download Submit
\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
199KB

MD5
88211332d4fc42a9cc876ec6a973af54

SHA1
4c373cd811d2947317865ead3804b31aa89d81b1

SHA256
0f7506b46152b82d0bfc2b82098f7635cfbedb96b7bb7899a0f9ac26983de8b5

SHA512
207e6c1674a06506feee83e02b13d6474bf142522d8638ed03a4d6d2748ace8d238c04785a6082ed56e69b696f92011185a4bae9aebe7e6c17aa644f9998f7ae

Download Submit
\Program Files (x86)\Microsoft\WaterMarkmgr.exe

Filesize
199KB

MD5
88211332d4fc42a9cc876ec6a973af54

SHA1
4c373cd811d2947317865ead3804b31aa89d81b1

SHA256
0f7506b46152b82d0bfc2b82098f7635cfbedb96b7bb7899a0f9ac26983de8b5

SHA512
207e6c1674a06506feee83e02b13d6474bf142522d8638ed03a4d6d2748ace8d238c04785a6082ed56e69b696f92011185a4bae9aebe7e6c17aa644f9998f7ae

Download Submit
\Users\Admin\AppData\Local\Temp\f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe

Filesize
199KB

MD5
88211332d4fc42a9cc876ec6a973af54

SHA1
4c373cd811d2947317865ead3804b31aa89d81b1

SHA256
0f7506b46152b82d0bfc2b82098f7635cfbedb96b7bb7899a0f9ac26983de8b5

SHA512
207e6c1674a06506feee83e02b13d6474bf142522d8638ed03a4d6d2748ace8d238c04785a6082ed56e69b696f92011185a4bae9aebe7e6c17aa644f9998f7ae

Download Submit
\Users\Admin\AppData\Local\Temp\f85b374fc1740db2bb6b1dfaf51276efb45287e678011dc92f8865f4866d8910mgr.exe

Filesize
199KB

MD5
88211332d4fc42a9cc876ec6a973af54

SHA1
4c373cd811d2947317865ead3804b31aa89d81b1

SHA256
0f7506b46152b82d0bfc2b82098f7635cfbedb96b7bb7899a0f9ac26983de8b5

SHA512
207e6c1674a06506feee83e02b13d6474bf142522d8638ed03a4d6d2748ace8d238c04785a6082ed56e69b696f92011185a4bae9aebe7e6c17aa644f9998f7ae

Download Submit
memory/848-111-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/848-224-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/848-101-0x0000000000340000-0x000000000037E000-memory.dmp

Filesize
248KB

Download
memory/968-126-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/968-225-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/968-139-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1252-141-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1252-148-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1364-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1364-77-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1364-66-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1364-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1544-138-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-137-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1756-107-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1756-99-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1764-109-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1824-78-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2032-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2032-108-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download