ramnit | cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c

Analysis

max time kernel
177s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe
Size

241KB
MD5

432e72f8c7c3a6c3fe08bc37c7d05eb1
SHA1

37fe5b4a590d5634b9c426688c014226eccbce4f
SHA256

cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c
SHA512

21e4f8ad5946c4d4817a8d81db919bba7721c547fb06435f0dda8223a26e854666bfedcfd978e80e9ec8c0c4d92bc600822e94e81d03ef6c2a2451062d3608c1
SSDEEP

3072:ynxwgxgfR/DVG7wBpEu/olCccw+Um4i1APz/S1vKic2GL2jAnEAfuGSlyrYI:y+xDVG0Bpvccus187aKXfdSuR

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 3 IoCs

Processes:

cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exeWaterMark.exeWaterMark.exe

pid process

1996 cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
1296 WaterMark.exe
1424 WaterMark.exe

pid	process
1996	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
1296	WaterMark.exe
1424	WaterMark.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/540-61-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/540-64-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1996-75-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/540-76-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1424-89-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1424-91-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1296-96-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1296-94-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1424-235-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.execf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe

pid	process
540	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe
540	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe
540	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe
1996	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
1996	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
540	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe
File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 12 IoCs

Processes:

cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.execf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px71D7.tmp	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px71D8.tmp	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

WaterMark.exeWaterMark.exesvchost.exe

pid	process
1296	WaterMark.exe
1296	WaterMark.exe
1424	WaterMark.exe
1424	WaterMark.exe
1424	WaterMark.exe
1424	WaterMark.exe
1424	WaterMark.exe
1424	WaterMark.exe
1424	WaterMark.exe
1424	WaterMark.exe
2000	svchost.exe
1296	WaterMark.exe
1296	WaterMark.exe
1296	WaterMark.exe
1296	WaterMark.exe
1296	WaterMark.exe
1296	WaterMark.exe
2000	svchost.exe
2000	svchost.exe
2000	svchost.exe
2000	svchost.exe
2000	svchost.exe
2000	svchost.exe
2000	svchost.exe
2000	svchost.exe
2000	svchost.exe
2000	svchost.exe
2000	svchost.exe
2000	svchost.exe
2000	svchost.exe
2000	svchost.exe
2000	svchost.exe
2000	svchost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

WaterMark.exeWaterMark.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1296	WaterMark.exe
Token: SeDebugPrivilege	1424	WaterMark.exe
Token: SeDebugPrivilege	2000	svchost.exe
Token: SeDebugPrivilege	1984	svchost.exe
Token: SeDebugPrivilege	1296	WaterMark.exe
Token: SeDebugPrivilege	1424	WaterMark.exe
Token: SeDebugPrivilege	1540	svchost.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.execf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exeWaterMark.exeWaterMark.exe

pid	process
540	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe
1996	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
1424	WaterMark.exe
1296	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.execf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exeWaterMark.exeWaterMark.exesvchost.exe

description	pid	process	target process
PID 540 wrote to memory of 1996	540	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
PID 540 wrote to memory of 1996	540	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
PID 540 wrote to memory of 1996	540	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
PID 540 wrote to memory of 1996	540	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
PID 1996 wrote to memory of 1296	1996	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe	WaterMark.exe
PID 1996 wrote to memory of 1296	1996	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe	WaterMark.exe
PID 1996 wrote to memory of 1296	1996	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe	WaterMark.exe
PID 1996 wrote to memory of 1296	1996	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe	WaterMark.exe
PID 540 wrote to memory of 1424	540	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe	WaterMark.exe
PID 540 wrote to memory of 1424	540	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe	WaterMark.exe
PID 540 wrote to memory of 1424	540	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe	WaterMark.exe
PID 540 wrote to memory of 1424	540	cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe	WaterMark.exe
PID 1424 wrote to memory of 368	1424	WaterMark.exe	svchost.exe
PID 1296 wrote to memory of 1540	1296	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 368	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 368	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 368	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 368	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 368	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 368	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 368	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 368	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 368	1424	WaterMark.exe	svchost.exe
PID 1296 wrote to memory of 1540	1296	WaterMark.exe	svchost.exe
PID 1296 wrote to memory of 1540	1296	WaterMark.exe	svchost.exe
PID 1296 wrote to memory of 1540	1296	WaterMark.exe	svchost.exe
PID 1296 wrote to memory of 1540	1296	WaterMark.exe	svchost.exe
PID 1296 wrote to memory of 1540	1296	WaterMark.exe	svchost.exe
PID 1296 wrote to memory of 1540	1296	WaterMark.exe	svchost.exe
PID 1296 wrote to memory of 1540	1296	WaterMark.exe	svchost.exe
PID 1296 wrote to memory of 1540	1296	WaterMark.exe	svchost.exe
PID 1296 wrote to memory of 1540	1296	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 2000	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 2000	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 2000	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 2000	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 2000	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 2000	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 2000	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 2000	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 2000	1424	WaterMark.exe	svchost.exe
PID 1424 wrote to memory of 2000	1424	WaterMark.exe	svchost.exe
PID 2000 wrote to memory of 260	2000	svchost.exe	smss.exe
PID 2000 wrote to memory of 260	2000	svchost.exe	smss.exe
PID 2000 wrote to memory of 260	2000	svchost.exe	smss.exe
PID 2000 wrote to memory of 260	2000	svchost.exe	smss.exe
PID 2000 wrote to memory of 260	2000	svchost.exe	smss.exe
PID 2000 wrote to memory of 332	2000	svchost.exe	csrss.exe
PID 2000 wrote to memory of 332	2000	svchost.exe	csrss.exe
PID 2000 wrote to memory of 332	2000	svchost.exe	csrss.exe
PID 2000 wrote to memory of 332	2000	svchost.exe	csrss.exe
PID 2000 wrote to memory of 332	2000	svchost.exe	csrss.exe
PID 1296 wrote to memory of 1984	1296	WaterMark.exe	svchost.exe
PID 2000 wrote to memory of 372	2000	svchost.exe	wininit.exe
PID 2000 wrote to memory of 372	2000	svchost.exe	wininit.exe
PID 2000 wrote to memory of 372	2000	svchost.exe	wininit.exe
PID 2000 wrote to memory of 372	2000	svchost.exe	wininit.exe
PID 2000 wrote to memory of 372	2000	svchost.exe	wininit.exe
PID 2000 wrote to memory of 384	2000	svchost.exe	csrss.exe
PID 2000 wrote to memory of 384	2000	svchost.exe	csrss.exe
PID 2000 wrote to memory of 384	2000	svchost.exe	csrss.exe
PID 2000 wrote to memory of 384	2000	svchost.exe	csrss.exe
PID 2000 wrote to memory of 384	2000	svchost.exe	csrss.exe
PID 1296 wrote to memory of 1984	1296	WaterMark.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:584

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1052

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1084

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:664

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe
"C:\Users\Admin\AppData\Local\Temp\cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993c.exe"
2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
C:\Users\Admin\AppData\Local\Temp\cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1996

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:368

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2036

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
119KB

MD5
38a96de610bef6a122677e93885fd380

SHA1
5db38bffdedc43790359bab324121dd60472ee77

SHA256
c41c2011fe11b2bddf392d57fa1f7513f234243fd79cd34f01030e86a15827f9

SHA512
9520643685d3c5a90b39f51668cfb5f2eedca1c02f2d3acabc9834946fd107d97b526f882d739b617c0881a1552d0065d27ddd9c1cf244dcaf061c9f6ddb1830

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
119KB

MD5
38a96de610bef6a122677e93885fd380

SHA1
5db38bffdedc43790359bab324121dd60472ee77

SHA256
c41c2011fe11b2bddf392d57fa1f7513f234243fd79cd34f01030e86a15827f9

SHA512
9520643685d3c5a90b39f51668cfb5f2eedca1c02f2d3acabc9834946fd107d97b526f882d739b617c0881a1552d0065d27ddd9c1cf244dcaf061c9f6ddb1830

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
119KB

MD5
38a96de610bef6a122677e93885fd380

SHA1
5db38bffdedc43790359bab324121dd60472ee77

SHA256
c41c2011fe11b2bddf392d57fa1f7513f234243fd79cd34f01030e86a15827f9

SHA512
9520643685d3c5a90b39f51668cfb5f2eedca1c02f2d3acabc9834946fd107d97b526f882d739b617c0881a1552d0065d27ddd9c1cf244dcaf061c9f6ddb1830

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
Filesize
119KB

MD5
38a96de610bef6a122677e93885fd380

SHA1
5db38bffdedc43790359bab324121dd60472ee77

SHA256
c41c2011fe11b2bddf392d57fa1f7513f234243fd79cd34f01030e86a15827f9

SHA512
9520643685d3c5a90b39f51668cfb5f2eedca1c02f2d3acabc9834946fd107d97b526f882d739b617c0881a1552d0065d27ddd9c1cf244dcaf061c9f6ddb1830

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
Filesize
119KB

MD5
38a96de610bef6a122677e93885fd380

SHA1
5db38bffdedc43790359bab324121dd60472ee77

SHA256
c41c2011fe11b2bddf392d57fa1f7513f234243fd79cd34f01030e86a15827f9

SHA512
9520643685d3c5a90b39f51668cfb5f2eedca1c02f2d3acabc9834946fd107d97b526f882d739b617c0881a1552d0065d27ddd9c1cf244dcaf061c9f6ddb1830

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
119KB

MD5
38a96de610bef6a122677e93885fd380

SHA1
5db38bffdedc43790359bab324121dd60472ee77

SHA256
c41c2011fe11b2bddf392d57fa1f7513f234243fd79cd34f01030e86a15827f9

SHA512
9520643685d3c5a90b39f51668cfb5f2eedca1c02f2d3acabc9834946fd107d97b526f882d739b617c0881a1552d0065d27ddd9c1cf244dcaf061c9f6ddb1830

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
119KB

MD5
38a96de610bef6a122677e93885fd380

SHA1
5db38bffdedc43790359bab324121dd60472ee77

SHA256
c41c2011fe11b2bddf392d57fa1f7513f234243fd79cd34f01030e86a15827f9

SHA512
9520643685d3c5a90b39f51668cfb5f2eedca1c02f2d3acabc9834946fd107d97b526f882d739b617c0881a1552d0065d27ddd9c1cf244dcaf061c9f6ddb1830

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
119KB

MD5
38a96de610bef6a122677e93885fd380

SHA1
5db38bffdedc43790359bab324121dd60472ee77

SHA256
c41c2011fe11b2bddf392d57fa1f7513f234243fd79cd34f01030e86a15827f9

SHA512
9520643685d3c5a90b39f51668cfb5f2eedca1c02f2d3acabc9834946fd107d97b526f882d739b617c0881a1552d0065d27ddd9c1cf244dcaf061c9f6ddb1830

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
119KB

MD5
38a96de610bef6a122677e93885fd380

SHA1
5db38bffdedc43790359bab324121dd60472ee77

SHA256
c41c2011fe11b2bddf392d57fa1f7513f234243fd79cd34f01030e86a15827f9

SHA512
9520643685d3c5a90b39f51668cfb5f2eedca1c02f2d3acabc9834946fd107d97b526f882d739b617c0881a1552d0065d27ddd9c1cf244dcaf061c9f6ddb1830

Download Submit
\Users\Admin\AppData\Local\Temp\cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
Filesize
119KB

MD5
38a96de610bef6a122677e93885fd380

SHA1
5db38bffdedc43790359bab324121dd60472ee77

SHA256
c41c2011fe11b2bddf392d57fa1f7513f234243fd79cd34f01030e86a15827f9

SHA512
9520643685d3c5a90b39f51668cfb5f2eedca1c02f2d3acabc9834946fd107d97b526f882d739b617c0881a1552d0065d27ddd9c1cf244dcaf061c9f6ddb1830

Download Submit
\Users\Admin\AppData\Local\Temp\cf08a5909b3db8517fbd154d29d88f624f29c277ca282363ad2e4371a076993cmgr.exe
Filesize
119KB

MD5
38a96de610bef6a122677e93885fd380

SHA1
5db38bffdedc43790359bab324121dd60472ee77

SHA256
c41c2011fe11b2bddf392d57fa1f7513f234243fd79cd34f01030e86a15827f9

SHA512
9520643685d3c5a90b39f51668cfb5f2eedca1c02f2d3acabc9834946fd107d97b526f882d739b617c0881a1552d0065d27ddd9c1cf244dcaf061c9f6ddb1830

Download Submit
memory/368-93-0x0000000000000000-mapping.dmp

Download
memory/368-98-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/368-236-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/368-108-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/368-99-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/368-88-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/540-76-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/540-61-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/540-64-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1296-96-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1296-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1296-71-0x0000000000000000-mapping.dmp

Download
memory/1424-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1424-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1424-73-0x0000000000000000-mapping.dmp

Download
memory/1424-235-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1540-97-0x0000000000000000-mapping.dmp

Download
memory/1984-129-0x0000000000000000-mapping.dmp

Download
memory/1996-56-0x0000000000000000-mapping.dmp

Download
memory/1996-75-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2000-113-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2000-112-0x0000000000000000-mapping.dmp

Download
memory/2000-110-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download