ramnit | 97f29ffb8c19657ae617866c01d5574b4ba5cd64ea32d40df54ecc22d2212e88

Analysis

max time kernel
154s
max time network
159s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0da34ec93538d3074163083dad3351a2.exe
Size

97KB
MD5

0da34ec93538d3074163083dad3351a2
SHA1

23018642d30d09444a74ef11721e3eda0f4ec71a
SHA256

97f29ffb8c19657ae617866c01d5574b4ba5cd64ea32d40df54ecc22d2212e88
SHA512

c23f1138289e52bdfeea40720cc3ec9faf434e6ac00e97d2efc7ccd9fdfd3fdc4c578fb056228aca220990e8293fa5aa5a835bffbd369767f1cf3251b0bf4295
SSDEEP

768:L06R0UKzOgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw98:ZR0vxn3Pc0LCH9MtbvabUDzJYWu3B

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
2740	WaterMark.exe

Loads dropped DLL 2 IoCs

pid	Process
1536	0da34ec93538d3074163083dad3351a2.exe
1536	0da34ec93538d3074163083dad3351a2.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1536-2-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1536-3-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1536-5-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1536-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1536-8-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1536-0-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1536-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2740-22-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2740-30-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2740-269-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2740-435-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\zip.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\mojo_core.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\npjp2.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\npdeployJava1.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\j2pcsc.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaremr.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jawt.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcf.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msaddsr.dll	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\OmdBase.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\w2k_lsa_auth.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline_is.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px58E9.tmp	0da34ec93538d3074163083dad3351a2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadco.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdfmap.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL	svchost.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	WaterMark.exe
Token: SeDebugPrivilege	2480	svchost.exe
Token: SeDebugPrivilege	2740	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1536	0da34ec93538d3074163083dad3351a2.exe
2740	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 2740	1536	0da34ec93538d3074163083dad3351a2.exe	28
PID 1536 wrote to memory of 2740	1536	0da34ec93538d3074163083dad3351a2.exe	28
PID 1536 wrote to memory of 2740	1536	0da34ec93538d3074163083dad3351a2.exe	28
PID 1536 wrote to memory of 2740	1536	0da34ec93538d3074163083dad3351a2.exe	28
PID 2740 wrote to memory of 2568	2740	WaterMark.exe	29
PID 2740 wrote to memory of 2568	2740	WaterMark.exe	29
PID 2740 wrote to memory of 2568	2740	WaterMark.exe	29
PID 2740 wrote to memory of 2568	2740	WaterMark.exe	29
PID 2740 wrote to memory of 2568	2740	WaterMark.exe	29
PID 2740 wrote to memory of 2568	2740	WaterMark.exe	29
PID 2740 wrote to memory of 2568	2740	WaterMark.exe	29
PID 2740 wrote to memory of 2568	2740	WaterMark.exe	29
PID 2740 wrote to memory of 2568	2740	WaterMark.exe	29
PID 2740 wrote to memory of 2568	2740	WaterMark.exe	29
PID 2740 wrote to memory of 2480	2740	WaterMark.exe	30
PID 2740 wrote to memory of 2480	2740	WaterMark.exe	30
PID 2740 wrote to memory of 2480	2740	WaterMark.exe	30
PID 2740 wrote to memory of 2480	2740	WaterMark.exe	30
PID 2740 wrote to memory of 2480	2740	WaterMark.exe	30
PID 2740 wrote to memory of 2480	2740	WaterMark.exe	30
PID 2740 wrote to memory of 2480	2740	WaterMark.exe	30
PID 2740 wrote to memory of 2480	2740	WaterMark.exe	30
PID 2740 wrote to memory of 2480	2740	WaterMark.exe	30
PID 2740 wrote to memory of 2480	2740	WaterMark.exe	30
PID 2480 wrote to memory of 260	2480	svchost.exe	5
PID 2480 wrote to memory of 260	2480	svchost.exe	5
PID 2480 wrote to memory of 260	2480	svchost.exe	5
PID 2480 wrote to memory of 260	2480	svchost.exe	5
PID 2480 wrote to memory of 260	2480	svchost.exe	5
PID 2480 wrote to memory of 340	2480	svchost.exe	3
PID 2480 wrote to memory of 340	2480	svchost.exe	3
PID 2480 wrote to memory of 340	2480	svchost.exe	3
PID 2480 wrote to memory of 340	2480	svchost.exe	3
PID 2480 wrote to memory of 340	2480	svchost.exe	3
PID 2480 wrote to memory of 376	2480	svchost.exe	2
PID 2480 wrote to memory of 376	2480	svchost.exe	2
PID 2480 wrote to memory of 376	2480	svchost.exe	2
PID 2480 wrote to memory of 376	2480	svchost.exe	2
PID 2480 wrote to memory of 376	2480	svchost.exe	2
PID 2480 wrote to memory of 384	2480	svchost.exe	1
PID 2480 wrote to memory of 384	2480	svchost.exe	1
PID 2480 wrote to memory of 384	2480	svchost.exe	1
PID 2480 wrote to memory of 384	2480	svchost.exe	1
PID 2480 wrote to memory of 384	2480	svchost.exe	1
PID 2480 wrote to memory of 424	2480	svchost.exe	4
PID 2480 wrote to memory of 424	2480	svchost.exe	4
PID 2480 wrote to memory of 424	2480	svchost.exe	4
PID 2480 wrote to memory of 424	2480	svchost.exe	4
PID 2480 wrote to memory of 424	2480	svchost.exe	4
PID 2480 wrote to memory of 468	2480	svchost.exe	6
PID 2480 wrote to memory of 468	2480	svchost.exe	6
PID 2480 wrote to memory of 468	2480	svchost.exe	6
PID 2480 wrote to memory of 468	2480	svchost.exe	6
PID 2480 wrote to memory of 468	2480	svchost.exe	6
PID 2480 wrote to memory of 484	2480	svchost.exe	7
PID 2480 wrote to memory of 484	2480	svchost.exe	7
PID 2480 wrote to memory of 484	2480	svchost.exe	7
PID 2480 wrote to memory of 484	2480	svchost.exe	7
PID 2480 wrote to memory of 484	2480	svchost.exe	7
PID 2480 wrote to memory of 492	2480	svchost.exe	8
PID 2480 wrote to memory of 492	2480	svchost.exe	8
PID 2480 wrote to memory of 492	2480	svchost.exe	8
PID 2480 wrote to memory of 492	2480	svchost.exe	8
PID 2480 wrote to memory of 492	2480	svchost.exe	8

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:468
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:608
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:1208
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:772
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:684
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1120
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1076
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:544
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:300
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:968
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:844
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:1604
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:816
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2436
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2084
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:484
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:492

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:340

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\0da34ec93538d3074163083dad3351a2.exe
  "C:\Users\Admin\AppData\Local\Temp\0da34ec93538d3074163083dad3351a2.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      Drops file in Program Files directory
      PID:2568
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
208KB

MD5
de5916ae1de5fa5e9cb708c7a891b96c

SHA1
5c2af9d3650963cc73e2ebfd65d85cee3dfb1edb

SHA256
fb3141b8f705c42477de399a40a6d3e2154309a81d7d693057de72cf0a123b64

SHA512
1856f2885bd562dc4f6d39529f622c77534547d50cc2f1bec3e7cbe4f9002975efa1f6adecaeef40406d3505a3b2dde1ebb84d120b345c0b000616ac52c4029a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
204KB

MD5
b596da81e83cb11dd7b0cae7570c750f

SHA1
dc72a2afada0dfac399b7543b8b5b63e3eeecfab

SHA256
4bb0dcb54ccbf0eeacfaf30d973240d98257edd9b50f63188f6dc4c1a75ab845

SHA512
01b57832eff915b389dd8b713c4ec12b454168e61b24b439495aede87e0673bc26959824614c0efdaa3ff766ac13d19aea50d33e7e4b2fd06f3d9b98da277949

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
97KB

MD5
0da34ec93538d3074163083dad3351a2

SHA1
23018642d30d09444a74ef11721e3eda0f4ec71a

SHA256
97f29ffb8c19657ae617866c01d5574b4ba5cd64ea32d40df54ecc22d2212e88

SHA512
c23f1138289e52bdfeea40720cc3ec9faf434e6ac00e97d2efc7ccd9fdfd3fdc4c578fb056228aca220990e8293fa5aa5a835bffbd369767f1cf3251b0bf4295

Download Submit
memory/1536-5-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1536-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1536-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1536-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1536-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1536-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1536-2-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1536-14-0x0000000000050000-0x0000000000085000-memory.dmp

Filesize
212KB

Download
memory/1536-3-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1536-4-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2480-77-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2480-60-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2480-79-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2480-80-0x00000000775D0000-0x00000000775D1000-memory.dmp

Filesize
4KB

Download
memory/2480-76-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2480-75-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2480-74-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2480-73-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2480-69-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2568-47-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2568-36-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2568-56-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2568-432-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2568-50-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2568-51-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2568-49-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2568-43-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2568-34-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2740-58-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2740-31-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2740-269-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2740-270-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2740-271-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2740-272-0x00000000775D0000-0x00000000775D1000-memory.dmp

Filesize
4KB

Download
memory/2740-277-0x00000000775CF000-0x00000000775D0000-memory.dmp

Filesize
4KB

Download
memory/2740-32-0x00000000775CF000-0x00000000775D0000-memory.dmp

Filesize
4KB

Download
memory/2740-435-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2740-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2740-22-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download