hijackloader | eea65eb3a1b2443e8e3f26ce6ad39a85150576bc43d757e17fb93deb938ff0f0

Analysis

max time kernel
126s
max time network
155s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28-07-2024 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wasper-Setup.exe
Size

45.5MB
MD5

ee7517fda25c5c0f955c96bf416b35bf
SHA1

5538cd903d17837fcf1448933ea0b7f74793c868
SHA256

eea65eb3a1b2443e8e3f26ce6ad39a85150576bc43d757e17fb93deb938ff0f0
SHA512

e42f468a43e775bb12d44f857e2c5f6e7e088c0eab14acb885f10f30d26e9bd8a0656e8044f22019d6521156404647d7bb8024e0f60796f1d57c6e516cca14fc
SSDEEP

786432:+yS2qHe93TkaKlV0zik3gPqdOIEPh5eI0glAf69QEx+ExtOjPrnyl1tlfd9sQo:+v2PS5kwPoOlPhUI0gCC9L6jLqFTs7

Score

10^/10

hijackloader stealc wasp23 credential_access discovery execution loader spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

wasp23

http://45.156.27.196

Attributes

url_path
/4c7ef30d4540070f.php

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2508-533-0x0000000000400000-0x0000000000517000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

304 powershell.exe
1100 powershell.exe
1796 powershell.exe
2640 powershell.exe

pid	process
304	powershell.exe
1100	powershell.exe
1796	powershell.exe
2640	powershell.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
\Program Files (x86)\WasperApp\WasperApp.dll	net_reactor

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Downloads MZ/PE file
Suspicious use of SetThreadContext 1 IoCs

Processes:

snss1.exe

description pid process target process

PID 2508 set thread context of 1716 2508 snss1.exe cmd.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	pid	process	target process
PID 2508 set thread context of 1716	2508	snss1.exe	cmd.exe

Drops file in Program Files directory 64 IoCs

Processes:

Wasper-Setup.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Program Files (x86)\WasperApp\System.Text.Json.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Diagnostics.FileVersionInfo.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.ComponentModel.Annotations.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Diagnostics.Tracing.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.IO.Compression.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Text.Encodings.Web.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Threading.Overlapped.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\PresentationFramework.Classic.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Reflection.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Security.Principal.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Threading.Channels.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Windows.Forms.Design.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.IO.Pipes.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.IO.FileSystem.AccessControl.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Printing.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Runtime.Serialization.Xml.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Xml.XPath.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Diagnostics.TextWriterTraceListener.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Reflection.Extensions.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Security.Cryptography.ProtectedData.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Transactions.Local.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Collections.Immutable.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Net.Http.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Net.HttpListener.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Threading.dll	Wasper-Setup.exe
File opened for modification	C:\Program Files (x86)\WasperApp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\WasperApp\PresentationFramework.Aero.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Security.Cryptography.Cng.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Security.Cryptography.Csp.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\PresentationFramework.Luna.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Reflection.TypeExtensions.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Windows.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.IO.Packaging.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Net.Primitives.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\ReachFramework.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.IO.IsolatedStorage.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Resources.Extensions.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Security.Cryptography.OpenSsl.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Collections.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Xml.Linq.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\clretwrc.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Globalization.Extensions.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Net.Security.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Runtime.InteropServices.RuntimeInformation.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Xml.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\mscordbi.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Configuration.ConfigurationManager.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Private.Xml.Linq.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Net.WebClient.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Numerics.Vectors.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Runtime.InteropServices.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\mscordaccore.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.IO.FileSystem.Primitives.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Collections.Concurrent.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Data.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Management.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Net.ServicePoint.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Runtime.Serialization.Json.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Threading.AccessControl.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Windows.Controls.Ribbon.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\Microsoft.DiaSymReader.Native.amd64.dll	Wasper-Setup.exe
File opened for modification	C:\Program Files (x86)\WasperApp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\WasperApp\System.ServiceProcess.dll	Wasper-Setup.exe
File created	C:\Program Files (x86)\WasperApp\System.Threading.Timer.dll	Wasper-Setup.exe

Executes dropped EXE 4 IoCs

Processes:

WasperApp.exesnss1.exesnss2.exesnss2.exe

pid process

2712 WasperApp.exe
2508 snss1.exe
2688 snss2.exe
1624 snss2.exe

pid	process
2712	WasperApp.exe
2508	snss1.exe
2688	snss2.exe
1624	snss2.exe

Loads dropped DLL 63 IoCs

Processes:

Wasper-Setup.exeWasperApp.exeexplorer.exesnss2.exesnss2.exe

pid	process
756	Wasper-Setup.exe
756	Wasper-Setup.exe
756	Wasper-Setup.exe
756	Wasper-Setup.exe
756	Wasper-Setup.exe
756	Wasper-Setup.exe
1192
1192
1192
1192
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
1192
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
2712	WasperApp.exe
3044	explorer.exe
3044	explorer.exe
2688	snss2.exe
1624	snss2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1512 3044 WerFault.exe explorer.exe

pid	pid_target	process	target process
1512	3044	WerFault.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeexplorer.exemsiexec.exemsiexec.exesnss2.exesnss2.exeWasper-Setup.exesnss1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snss2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snss2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wasper-Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snss1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

WasperApp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WasperApp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WasperApp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WasperApp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WasperApp.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exesnss1.execmd.exeexplorer.exe

pid process

304 powershell.exe
1100 powershell.exe
1796 powershell.exe
2640 powershell.exe
2508 snss1.exe
2508 snss1.exe
1716 cmd.exe
1716 cmd.exe
3044 explorer.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

snss1.execmd.exe

pid process

2508 snss1.exe
1716 cmd.exe

pid	process
304	powershell.exe
1100	powershell.exe
1796	powershell.exe
2640	powershell.exe
2508	snss1.exe
2508	snss1.exe
1716	cmd.exe
1716	cmd.exe
3044	explorer.exe

pid	process
2508	snss1.exe
1716	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exemsiexec.exemsiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeShutdownPrivilege	2196	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	1224	msiexec.exe
Token: SeTakeOwnershipPrivilege	1224	msiexec.exe
Token: SeSecurityPrivilege	1224	msiexec.exe
Token: SeCreateTokenPrivilege	2196	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2196	msiexec.exe
Token: SeLockMemoryPrivilege	2196	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2196	msiexec.exe
Token: SeMachineAccountPrivilege	2196	msiexec.exe
Token: SeTcbPrivilege	2196	msiexec.exe
Token: SeSecurityPrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeLoadDriverPrivilege	2196	msiexec.exe
Token: SeSystemProfilePrivilege	2196	msiexec.exe
Token: SeSystemtimePrivilege	2196	msiexec.exe
Token: SeProfSingleProcessPrivilege	2196	msiexec.exe
Token: SeIncBasePriorityPrivilege	2196	msiexec.exe
Token: SeCreatePagefilePrivilege	2196	msiexec.exe
Token: SeCreatePermanentPrivilege	2196	msiexec.exe
Token: SeBackupPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeShutdownPrivilege	2196	msiexec.exe
Token: SeDebugPrivilege	2196	msiexec.exe
Token: SeAuditPrivilege	2196	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2196	msiexec.exe
Token: SeChangeNotifyPrivilege	2196	msiexec.exe
Token: SeRemoteShutdownPrivilege	2196	msiexec.exe
Token: SeUndockPrivilege	2196	msiexec.exe
Token: SeSyncAgentPrivilege	2196	msiexec.exe
Token: SeEnableDelegationPrivilege	2196	msiexec.exe
Token: SeManageVolumePrivilege	2196	msiexec.exe
Token: SeImpersonatePrivilege	2196	msiexec.exe
Token: SeCreateGlobalPrivilege	2196	msiexec.exe
Token: SeShutdownPrivilege	1712	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1712	msiexec.exe
Token: SeBackupPrivilege	1032	vssvc.exe
Token: SeRestorePrivilege	1032	vssvc.exe
Token: SeAuditPrivilege	1032	vssvc.exe
Token: SeCreateTokenPrivilege	1712	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1712	msiexec.exe
Token: SeLockMemoryPrivilege	1712	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1712	msiexec.exe
Token: SeMachineAccountPrivilege	1712	msiexec.exe
Token: SeTcbPrivilege	1712	msiexec.exe
Token: SeSecurityPrivilege	1712	msiexec.exe
Token: SeTakeOwnershipPrivilege	1712	msiexec.exe
Token: SeLoadDriverPrivilege	1712	msiexec.exe
Token: SeSystemProfilePrivilege	1712	msiexec.exe
Token: SeSystemtimePrivilege	1712	msiexec.exe
Token: SeProfSingleProcessPrivilege	1712	msiexec.exe
Token: SeIncBasePriorityPrivilege	1712	msiexec.exe
Token: SeCreatePagefilePrivilege	1712	msiexec.exe
Token: SeCreatePermanentPrivilege	1712	msiexec.exe
Token: SeBackupPrivilege	1712	msiexec.exe
Token: SeRestorePrivilege	1712	msiexec.exe
Token: SeShutdownPrivilege	1712	msiexec.exe
Token: SeDebugPrivilege	1712	msiexec.exe
Token: SeAuditPrivilege	1712	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1712	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msiexec.exemsiexec.exe

pid process

2196 msiexec.exe
1712 msiexec.exe
1712 msiexec.exe

pid	process
2196	msiexec.exe
1712	msiexec.exe
1712	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Wasper-Setup.exeWasperApp.exesnss1.execmd.exeexplorer.exesnss2.exe

description	pid	process	target process
PID 756 wrote to memory of 2712	756	Wasper-Setup.exe	WasperApp.exe
PID 756 wrote to memory of 2712	756	Wasper-Setup.exe	WasperApp.exe
PID 756 wrote to memory of 2712	756	Wasper-Setup.exe	WasperApp.exe
PID 756 wrote to memory of 2712	756	Wasper-Setup.exe	WasperApp.exe
PID 2712 wrote to memory of 304	2712	WasperApp.exe	powershell.exe
PID 2712 wrote to memory of 304	2712	WasperApp.exe	powershell.exe
PID 2712 wrote to memory of 304	2712	WasperApp.exe	powershell.exe
PID 2712 wrote to memory of 1100	2712	WasperApp.exe	powershell.exe
PID 2712 wrote to memory of 1100	2712	WasperApp.exe	powershell.exe
PID 2712 wrote to memory of 1100	2712	WasperApp.exe	powershell.exe
PID 2712 wrote to memory of 1796	2712	WasperApp.exe	powershell.exe
PID 2712 wrote to memory of 1796	2712	WasperApp.exe	powershell.exe
PID 2712 wrote to memory of 1796	2712	WasperApp.exe	powershell.exe
PID 2712 wrote to memory of 2640	2712	WasperApp.exe	powershell.exe
PID 2712 wrote to memory of 2640	2712	WasperApp.exe	powershell.exe
PID 2712 wrote to memory of 2640	2712	WasperApp.exe	powershell.exe
PID 2712 wrote to memory of 2508	2712	WasperApp.exe	snss1.exe
PID 2712 wrote to memory of 2508	2712	WasperApp.exe	snss1.exe
PID 2712 wrote to memory of 2508	2712	WasperApp.exe	snss1.exe
PID 2712 wrote to memory of 2508	2712	WasperApp.exe	snss1.exe
PID 2508 wrote to memory of 1716	2508	snss1.exe	cmd.exe
PID 2508 wrote to memory of 1716	2508	snss1.exe	cmd.exe
PID 2508 wrote to memory of 1716	2508	snss1.exe	cmd.exe
PID 2508 wrote to memory of 1716	2508	snss1.exe	cmd.exe
PID 2508 wrote to memory of 1716	2508	snss1.exe	cmd.exe
PID 1716 wrote to memory of 3044	1716	cmd.exe	explorer.exe
PID 1716 wrote to memory of 3044	1716	cmd.exe	explorer.exe
PID 1716 wrote to memory of 3044	1716	cmd.exe	explorer.exe
PID 1716 wrote to memory of 3044	1716	cmd.exe	explorer.exe
PID 1716 wrote to memory of 3044	1716	cmd.exe	explorer.exe
PID 1716 wrote to memory of 3044	1716	cmd.exe	explorer.exe
PID 3044 wrote to memory of 2196	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 2196	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 2196	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 2196	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 2196	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 2196	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 2196	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 1712	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 1712	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 1712	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 1712	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 1712	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 1712	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 1712	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 2604	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 2604	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 2604	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 2604	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 2604	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 2604	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 2604	3044	explorer.exe	msiexec.exe
PID 3044 wrote to memory of 1512	3044	explorer.exe	WerFault.exe
PID 3044 wrote to memory of 1512	3044	explorer.exe	WerFault.exe
PID 3044 wrote to memory of 1512	3044	explorer.exe	WerFault.exe
PID 3044 wrote to memory of 1512	3044	explorer.exe	WerFault.exe
PID 2712 wrote to memory of 2688	2712	WasperApp.exe	snss2.exe
PID 2712 wrote to memory of 2688	2712	WasperApp.exe	snss2.exe
PID 2712 wrote to memory of 2688	2712	WasperApp.exe	snss2.exe
PID 2712 wrote to memory of 2688	2712	WasperApp.exe	snss2.exe
PID 2712 wrote to memory of 2688	2712	WasperApp.exe	snss2.exe
PID 2712 wrote to memory of 2688	2712	WasperApp.exe	snss2.exe
PID 2712 wrote to memory of 2688	2712	WasperApp.exe	snss2.exe
PID 2688 wrote to memory of 1624	2688	snss2.exe	snss2.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Wasper-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Wasper-Setup.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756

C:\Program Files (x86)\WasperApp\WasperApp.exe
"C:\Program Files (x86)\WasperApp\WasperApp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Users\Admin\AppData\Local\Temp\d3c7f071-5a6f-4d06-bc1a-033f265ec191\snss1.exe
"C:\Users\Admin\AppData\Local\Temp\d3c7f071-5a6f-4d06-bc1a-033f265ec191\snss1.exe"
3⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\ProgramData\HDGDHCGCBK.msi" /passive
6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2196

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\ProgramData\IJDGIIEBFC.msi" /passive
6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1712

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\ProgramData\DHCAECGIEB.msi" /passive
6⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1924
6⤵
- Program crash
PID:1512

C:\Users\Admin\AppData\Local\Temp\d3c7f071-5a6f-4d06-bc1a-033f265ec191\snss2.exe
"C:\Users\Admin\AppData\Local\Temp\d3c7f071-5a6f-4d06-bc1a-033f265ec191\snss2.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\Temp\{974FF19E-B093-448D-93AA-BB63534958D9}\.cr\snss2.exe
"C:\Windows\Temp\{974FF19E-B093-448D-93AA-BB63534958D9}\.cr\snss2.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\d3c7f071-5a6f-4d06-bc1a-033f265ec191\snss2.exe" -burn.filehandle.attached=184 -burn.filehandle.self=192
4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1624

C:\Windows\Temp\{E81CC779-930F-4C8D-95F3-0FA98E8F6A90}\.ba\pythonw.exe
"C:\Windows\Temp\{E81CC779-930F-4C8D-95F3-0FA98E8F6A90}\.ba\pythonw.exe"
5⤵
PID:2692

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Users\Admin\AppData\Local\Kalif\IUService.exe
"C:\Users\Admin\AppData\Local\Kalif\IUService.exe"
2⤵
PID:1700

C:\Users\Admin\AppData\Roaming\validateupload_debug\IUService.exe
C:\Users\Admin\AppData\Roaming\validateupload_debug\IUService.exe
3⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
4⤵
PID:2276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E4" "00000000000004C4"
1⤵
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f78e92b.rbs

Filesize
8KB

MD5
3c834a26ae996c329d06770f9c16f6b7

SHA1
ff47c2d19172787fe6bbd75ba75a5449ca040483

SHA256
48e320e7047274a97d89d8aa779f42d1ef2477cfbfeaa1f641ad429eb2545f9e

SHA512
7694003bf3f1ca6e547c88d24649d7d4a2cdc4ef0f56f76ad2a53ff71af9854ac4e12a225ca80780a19afe57594e7c1b49530d46da3a5a4a35de154f16ad512a

Download Submit
C:\Program Files (x86)\WasperApp\Accessibility.dll

Filesize
20KB

MD5
fb554f9fe0b91f135d26ac6459cfd6f2

SHA1
b1269a2c28bded872b14fe70b69484631ef3a65d

SHA256
929ea150ad45b7c7dd5427461fbec44d43b67c08081f59b42b6abf570feae271

SHA512
8dffde6cddfc59ec380111fd36048126559e1f1e080c081ca0d09021bb23d6888e93e1659c7b3a8fa46f76602b03cf3e638ec1a80fba79e51648dcb32362e10c

Download Submit
C:\Program Files (x86)\WasperApp\Microsoft.Win32.Primitives.dll

Filesize
15KB

MD5
300c95ff95b52e8a02fec6bfcfa58225

SHA1
b646f89fcd463ad5c19889b4fea40540568b780c

SHA256
f1b40565e5c4c41da810aee5b7d2272a0906e88f796812435aa5ed712bcac40c

SHA512
9bfe0eb6eea98b2d35aa42986a273ec82424143965e173b32bb4b7e5537580a027940a6952a45fc54f0b665e871deb2a95651106c2f24c7de3b3d3cd2dec7e89

Download Submit
C:\Program Files (x86)\WasperApp\System.Collections.Concurrent.dll

Filesize
270KB

MD5
38d21e067d7673194a84cced59066ac8

SHA1
e64362176f714b23603f3a67f1e741f12e35a832

SHA256
483130bfd1e57a0cbfd8a4f3c6e2353ac3f246276f9476c83cca1cadbc47ef47

SHA512
3fa6f78ff0cb527a8e82261549f24a8609d005821ac5c5e7257670dffd55472a134af3ef78d73779758303ae5a90728181cd4caebc871c5cfa4c309141201baf

Download Submit
C:\Program Files (x86)\WasperApp\System.Collections.dll

Filesize
254KB

MD5
92063926c04f2e4bf5b5fde16542831d

SHA1
e7be34eaff2d3d8796911d21f1fdbb93bf231dec

SHA256
9193aaef3ea8f19408f88c25fcaf5880e7836d1c35028d7e4077f6090b083541

SHA512
e855ee37980d1da2d143ee39133b05fff81937e529cffe74433e73088549daabd3abadbf05f3765bf3ffffd50313f0ed966efec0eb244d7363241affd73cc29f

Download Submit
C:\Program Files (x86)\WasperApp\System.Drawing.Primitives.dll

Filesize
130KB

MD5
b5ca10a41cc865048491f617678722a9

SHA1
afe171d9d676b78983b802e18ef8e00927073c64

SHA256
cbe9fbb1d1e4850460854474ffd8c01ddcc756dcb33a86d1674c0cb2e2a0b026

SHA512
2afdce56b7eec6deb82f8b2d5ec3029b5a0ee1e8bbf2e0ff9a0a5310bf265ddcdf63660546b4dbcc3c5fb0cba3cbb94f2408fe5cb4d14dbe0e74aba6dd5a2192

Download Submit
C:\Program Files (x86)\WasperApp\System.IO.FileSystem.dll

Filesize
15KB

MD5
35e27f4c681085a4b096826ee8ea4f53

SHA1
cf3ea4304e5558c8fdd4422e4d72509cd91ea719

SHA256
7bd41c6b12b73e6e90476f2d56db8581664abe07e7ab9bf2917bb254ed1d75ad

SHA512
1f9e6519ff29524e57cb0b3576ab118014293aade8f30027ef44b1f29a8e9a54e7bcb3b288a92dba996053b16016807d93fa9f44f2c43666ddc6425ddd7ae4b9

Download Submit
C:\Program Files (x86)\WasperApp\System.Private.CoreLib.dll

Filesize
12.6MB

MD5
805cf170e27dd31219a6b873c17dce88

SHA1
ac90fa4690a8b54b6248dcb4c41a2c9a74547667

SHA256
ba7e61a00e7a4634b5c5a79b83126f75580ceec235c613000c3efbc01826cad0

SHA512
fa946aae906b66cb5570155a1c77340f2b6d4efb9be16068da03a8f1c5b5f37ad847d65cd1416017db19375dc6a72670300da4c766e6d9bb1a00374f492bd866

Download Submit
C:\Program Files (x86)\WasperApp\System.Runtime.dll

Filesize
42KB

MD5
53501b2f33c210123a1a08a977d16b25

SHA1
354e358d7cf2a655e80c4e4a645733c3db0e7e4d

SHA256
1fc86ada2ec543a85b8a06a9470a7b5aaa91eb03cfe497a32cd52a1e043ea100

SHA512
9ef3b47ddd275de9dfb5ded34a69a74af2689ebcb34911f0e4ffef9e2faf409e2395c7730bce364b5668b2b3b3e05a7b5998586563fb15e22c223859b2e77796

Download Submit
C:\Program Files (x86)\WasperApp\System.Security.Cryptography.Algorithms.dll

Filesize
17KB

MD5
8f3b379221c31a9c5a39e31e136d0fda

SHA1
e57e8efe5609b27e8c180a04a16fbe1a82f5557d

SHA256
c99c6b384655e1af4ae5161fe9d54d95828ae17b18b884b0a99258f1c45aa388

SHA512
377f4e611a7cf2d5035f4622c590572031a476dd111598168acea1844aaa425c0fe012c763fbc16290c7b32c6c7df7b2563c88227e3dbc5d2bd02250c9d368d9

Download Submit
C:\Program Files (x86)\WasperApp\System.Security.Cryptography.Csp.dll

Filesize
15KB

MD5
c7f55dbc6f5090194c5907054779e982

SHA1
efa17e697b8cfd607c728608a3926eda7cd88238

SHA256
16bc1f72938d96deca5ce031a29a43552385674c83f07e4f91d387f5f01b8d0a

SHA512
ae0164273b04afdec2257ae30126a8b44d80ee52725009cc917d28d09fcfb19dfbbb3a817423e98af36f773015768fed9964331d992ad1830f6797b854c0c355

Download Submit
C:\Program Files (x86)\WasperApp\System.Security.Cryptography.Primitives.dll

Filesize
15KB

MD5
777ac34f9d89c6e4753b7a7b3be4ca29

SHA1
27e4bd1bfd7c9d9b0b19f3d6008582b44c156443

SHA256
6703e8d35df4b6389f43df88cc35fc3b3823fb3a7f04e5eb540b0af39f5fa622

SHA512
a791fa27b37c67ace72956680c662eb68f053fa8c8f4205f6ed78ecb2748d27d9010a8de94669d0ee33a8fca885380f8e6cfad9f475b07f60d34cdcb02d57439

Download Submit
C:\Program Files (x86)\WasperApp\System.Threading.Thread.dll

Filesize
15KB

MD5
72d839e793c4f3200d4c5a6d4aa28d20

SHA1
fbc25dd97b031a6faddd7e33bc500719e8eead19

SHA256
84c9a95609878542f00fe7da658f62d1a6943a43e6346af80d26bcff069a4dbd

SHA512
a414cd9d7cf6a04709f3bdbef0295349b845a8301171ed6394e97b9993f35816383b958736c814f91c359a783cca86ee04802856486d4b4e0ab90a45da39db1d

Download Submit
C:\Program Files (x86)\WasperApp\hostfxr.dll

Filesize
342KB

MD5
16532d13721ba4eac3ca60c29eefb16d

SHA1
f058d96f8e93b5291c07afdc1d891a8cc3edc9a0

SHA256
5aa15c6119b971742a7f824609739198a3c7c499370ed8b8df5a5942f69d9303

SHA512
9da30d469b4faed86a4bc62617b309f34e6bda66a3021b4a27d197d4bcb361f859c1a7c0aa2d16f0867ad93524b62a5f4e5ae5cf082da47fece87fc3d32ab100

Download Submit
C:\Program Files (x86)\WasperApp\mscorrc.dll

Filesize
133KB

MD5
53e03d5e3bffa02fbc7fb1420ac8e858

SHA1
36c44c9ff39815aa167f341c286c5cd1514f771f

SHA256
23a433398be5135222ee14bb1de6334e7b22bad1a38664a83f1cf19dfbddd960

SHA512
f6aca16b90f6b4efa413dc9a8f1d05e83c1e3791b2cb988f9bce69d5272a0077c1edcae4111a494d166b5e3ab4e25956dead4e93ee1e43417c2b7bb082292170

Download Submit
C:\ProgramData\HDGDHCGCBK.msi

Filesize
8.2MB

MD5
9152b6bd1ce59c0ece04db6a3be2d5fd

SHA1
e02f3f2ff8da78a59e1b2208852c9873f9b27b34

SHA256
1f3aa94fb9279137db157fc529a8b7e6067cbd1fe3eb13c6249f7c8b4562958a

SHA512
09490da71bc0229b403817f9a47c3c5465fdb81f59551db69e236380b06ecbc83edf4fdba5bef842b422e82ecbd467bcdb9d9995e8da49b81c2ff17feb5fc854

Download Submit
C:\ProgramData\IJDGIIEBFC.msi

Filesize
15.4MB

MD5
3762687f6636ac9f2cbf99aa7a15cd46

SHA1
fef00ffe364e45fb33034609a3cf60f7653af2aa

SHA256
5535bf554c8314b500fb9f00d5bdea0ade884cb7c74536bdaafa501361232e73

SHA512
8b33f26aa4481557529171e10c7999de39f7ed98c2c924da3860960187012d68db7016c881367b04aa9deec99477828dde54a189e02c2d7b8c9c7802953b371d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9E90.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9F9E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoCE78.tmp\ioSpecial.ini

Filesize
1KB

MD5
21e231796b859302d7f65bb6560ab718

SHA1
552763ab8f64f9386420c43fcd417f7b968b7e42

SHA256
df91c897cff0624580e60472dab4f169af0b42412fd1effd768cb98306026473

SHA512
1d6fbb6e44290fc26a8a700d2e1961e51494e561a10cb3ef8b31f8278281879b6235dea46441ec7079d2eec704320285e7f2c406f7f0328e61835f1f89da2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoCE78.tmp\ioSpecial.ini

Filesize
1KB

MD5
5067cf694aa51b5b42e43215045a6c13

SHA1
2f1460c9a8c10c21e0f5343cb45542d3553fc600

SHA256
1512ae06376f2199d045414d24fd6c870620a8be1325e30d80f8bd14eceffc0c

SHA512
4402c088318fd52b73a9e09584ae89b369bc3a012b4dd2ff0ec36afb996f171d1bef97d3004564de14407a5f0d4432740be691184b015e3016805d5dbd36dcbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HIKFDB0318Q1TJKAR9I6.temp

Filesize
7KB

MD5
a8fe6de355ef96d5da7465ea3bcb5e0d

SHA1
26dec686e646fc0b48115736a2e37fd59e8baca0

SHA256
0780137d14c606b60cdedbd5119f9153769d2960619e791e535bb38f9870900f

SHA512
0a4c2a12601068e598a3dfed4f6021bd1b0bcd7e17b88f93ee171fb5a9fe84515abe5803da8a084830d5c889a531cffeaa937e0b151c4e220d9e01a637830e09

Download Submit
C:\Users\Admin\AppData\Roaming\validateupload_debug\IUService.exe

Filesize
163KB

MD5
0588ce0c39da3283e779c1d5b21d283b

SHA1
1f264a47972d63db2cde18dc8311bc46551380eb

SHA256
d5a6714ab95caa92ef1a712465a44c1827122b971bdb28ffa33221e07651d6f7

SHA512
a5f97ac156d081cb4d9b3f32948eea387725c88af0f19e8bc8db2058a19e211648b7fd86708ff5e1db8f7b57ca3ab8edeba771c9d684c53bcb228ca71adab02a

Download Submit
C:\Windows\Temp\{974FF19E-B093-448D-93AA-BB63534958D9}\.cr\snss2.exe

Filesize
3.6MB

MD5
792e1905682368b5c8ce8323e983188e

SHA1
6b3f5b383109b6511861e6efe2b048b352d28c3f

SHA256
8984a02658d687941f0b94101028af467ab8ab72ff7ebae6c9fee0c62672c55e

SHA512
cbc36c0440a873dd0d10e45e2d9a6e357a1a0b51af61aee29f70058fcfa2ded076d20a3748d9cf19e5642752d1bd2905ec833ede378d2a55d63a0129903535b6

Download Submit
\Program Files (x86)\WasperApp\System.Collections.Specialized.dll

Filesize
102KB

MD5
cc26e9e30ffab763a1e54c0ef3713382

SHA1
c3be6646b7a4576ebd7729dbf4dccbd1fc159d51

SHA256
0cbabb81eae22f4c07c6c846054d207ae3f25da15649eb7fa29e4e2cecd24db4

SHA512
c8e57fb70cfa7667f9a5484c99eedd0bf34004ee26e9642e99a6b90624caa804af571d8aaafa7e9b121550af58205f8ed197b4ddb928210d394ff0b4c1897149

Download Submit
\Program Files (x86)\WasperApp\System.ComponentModel.EventBasedAsync.dll

Filesize
46KB

MD5
333639248121fb67d18323613a8203ea

SHA1
0cee5f7d46596239b833b3b30dccde27b0136959

SHA256
4c97d7bc0742faaa52ba86018b040aac44ddfc88a5835f9e6a659e03b4558999

SHA512
714fcb7299abcb26100b5f4103834c11c58f535ee9853fca2bcb22f43a3d1e7608d6ccae2dcc93d1687a4f1c8b521afe683d537f70f858681e62fff2d79c4acb

Download Submit
\Program Files (x86)\WasperApp\System.ComponentModel.Primitives.dll

Filesize
78KB

MD5
1c59c00ab0850af4b4d2bafd6be47db3

SHA1
4c6185b2f42987e25a5fdf2aa30cf4150de25d5b

SHA256
133ec34432ab8fa4f63ade636193864b6a62a089a0c98d746f5532c8a52f437b

SHA512
8425c02c4afb274e862e4ed5dd1c766ebfa1bcf5bf59018d86238014a52603331a8b7c1e233f5a1f22171e90132ddd585db0d2561ff2cd287d703397afdff4b1

Download Submit
\Program Files (x86)\WasperApp\System.Diagnostics.TraceSource.dll

Filesize
142KB

MD5
fe6a4b96e144131788108c8396a849eb

SHA1
40e6e5d03cfe036645ae854d5a2262faec6bed32

SHA256
22365ee4e3ba3c991d495e41f92e29bf6ddb38a48c44f55651271b80ee62b6d1

SHA512
61644c0e970dd6a6ff697b110bf99962931dd94deda5a966ea0fded3d23cba7433b802656295e04f1a95421774ea3c838f0a642d26b5e46ae6c05becb52eb7f1

Download Submit
\Program Files (x86)\WasperApp\System.Drawing.Common.dll

Filesize
1.5MB

MD5
e4715322db624dc52947a42ac67757ab

SHA1
ba0b0850142ecc3910927d6f2e5781b896d7d442

SHA256
75b1e772a4355145364121af00e5b5cf06c7212aa53d662fdc996bc11e8092a9

SHA512
3c86d44eb209a3a1f2001968a2b139e532a0513fd2decff04aa1bf8b30b6202c70fc0e7ac8b22ace563023671259cd74cf65062132e7f1b97d3580621686b05a

Download Submit
\Program Files (x86)\WasperApp\System.Memory.dll

Filesize
154KB

MD5
7e999da530c21a292cec8a642127b8c8

SHA1
6585d0260ae98bab2ad1eaba0f9cfe8ebb8a0b3f

SHA256
3af25e0c81c1462d0db86f55c4e5fd8c048c70685f9a566d29d499bc46935fb4

SHA512
a18b6649b5c2f9f96bf639863df9faad436759200a64f91fb2d955f33c71ce4b2d5798be982f692a247ac864d8acb63fb731b31c06333e5c7d9a9c895ecd6451

Download Submit
\Program Files (x86)\WasperApp\System.Private.Xml.Linq.dll

Filesize
394KB

MD5
60ed8b2bffc748d6a2a1fed8fa923368

SHA1
be411429b9a649a495124558c5e5d95a83525d58

SHA256
0b63cebb991d1911a607993ea5b4639f34a2b0b381a73973542db2d3591e9f90

SHA512
b0a4ac2aa96d827258bb30f098512741ad3f93585e05ceae0255e15cd8dc9ab8048788902c1eb32a813e9c69c8a923200a716b4e00f579c22a0b425665e575f8

Download Submit
\Program Files (x86)\WasperApp\System.Private.Xml.dll

Filesize
7.6MB

MD5
46aebfbd6d7e74d4d558da62d7600d25

SHA1
9c1cd44ab8b5e283967427e91cbddddfc0c2bf5a

SHA256
834e304221e742a831be5c5178892258e689eae35b730172e74161af2785aab9

SHA512
9c4499d174a988cc3830aafcc42f79defff37b16198f49cf5d2dc86f88809fcb44e0c300351f813d46addf9998f64448c50213f1721c6a307aad21c205db1524

Download Submit
\Program Files (x86)\WasperApp\System.Runtime.InteropServices.dll

Filesize
94KB

MD5
49c86e36b713e2b7daeb7547cede45fb

SHA1
75fe38864362226d2cce32b2c25432b1fd18ba37

SHA256
756de3f5f2e07b478ac046a0ac976b992ef6bc653a1be2bb1e28524a4ff8d67d

SHA512
a9bd42b626158c540be04f8d392620daba544a55b7438d6caefe93b9df10ec2219f28959c4e0d706a86b92008275de94dfdf19de730787cdacf46d99fc45e3a9

Download Submit
\Program Files (x86)\WasperApp\System.Security.Cryptography.dll

Filesize
2.0MB

MD5
75f18d3666eb009dd86fab998bb98710

SHA1
b273f135e289d528c0cfffad5613a272437b1f77

SHA256
4582f67764410785714a30fa05ffaaad78fe1bc8d4689889a43c2af825b2002e

SHA512
9e110e87e00f42c228729e649903ad649b962ae28900d486ee8f96c47acca094dbace608f9504745abf7e69597cdef3c6b544b5194703882a0a7f27b011fa8d5

Download Submit
\Program Files (x86)\WasperApp\System.Threading.dll

Filesize
82KB

MD5
32aa6e809d0ddb57806c6c23b584440e

SHA1
6bd651b9456f88a28f7054af475031afe52b7b64

SHA256
e8d1f5c422ee0ba3b235b22028ab92dc77c1ff9774edc0b940cad7224a30ba7d

SHA512
fe43b3d6ed5c37d59a44636d3c7522a88d83e6ec074bf69d3cbb6e5454fdd8f0523ea10fdf6fd452cbd0e2fc159cf9d03dfad6b30e80e400e7f1773b5a2e8632

Download Submit
\Program Files (x86)\WasperApp\System.Windows.Forms.Primitives.dll

Filesize
2.9MB

MD5
8129c2d72bcba8b50576e7c43e558832

SHA1
f4892f78d2496f3a2e1fa2380ff68fbeb62e2dca

SHA256
5794a3996a0b4ab9cb13f3de0f87d50462615a7d0eb1d243d9324a682c1b58cb

SHA512
40fafbf9590d2b2c8f487f44708e9e97ddce03b1487be5c7cb3d4c92bdb7100a98aebada379f63003f0dd9d447ee2b0b9dfa0b057320ac05f7f77b31c5ffa97d

Download Submit
\Program Files (x86)\WasperApp\System.Windows.Forms.dll

Filesize
12.9MB

MD5
a51632facb386d55cc3bc1f0822e4222

SHA1
59144c26183277304933fd8bb5da7d363fcc11fa

SHA256
efc52dbbef5202d9ff424d7adc6e2249b66450a5fd5414891776fc617b00123e

SHA512
2a8d8e2ee8168e6f79476616385320f463ebc161c7393db2b18a7d35ca0111c5100b83954c5eabfe32b12cac3dbfdc514271dde4cc4468dd26235eb7020d9c14

Download Submit
\Program Files (x86)\WasperApp\WasperApp.dll

Filesize
192KB

MD5
775cc26f32a72997809e52339d6af4ef

SHA1
317c5bbe942f5319bdd4ecf2faf6a7587796b2a7

SHA256
666874e14b4d070c9824cc9180b8ae26dd35c707da26baddc54b0f223dedaeba

SHA512
61ed2694bf2c6909ea6c013f6d3dd7af95ac8f77df6a90d345689996087e813261902e45a01958beae92616bdb2f2523a6903c01140b48e9ea4a4a7ea60c3ab4

Download Submit
\Program Files (x86)\WasperApp\WasperApp.exe

Filesize
145KB

MD5
851282ad3223ef69b792dc60a25c1b6e

SHA1
91a6d226d9acf6a7481d149c061e107c8ff11e85

SHA256
19106191483fff081f7294dc0e1f39ed5ed9441c21656f7a213936e423e1700e

SHA512
1f8a10b08505ad11f66d54d35e3f37cb29922878fc0868d8420f3ca51de626dc30f0265f29de2b4c0b48eb9d19b9842dc7cd11df6b17d9db3e67ff50f758c356

Download Submit
\Program Files (x86)\WasperApp\clrjit.dll

Filesize
1.7MB

MD5
8b81a3f0521b10e9de59507fe8efd685

SHA1
0516ff331e09fbd88817d265ff9dd0b647f31acb

SHA256
0759c8129bc761fe039e1cacb92c643606591cb8149a2ed33ee16babc9768dcb

SHA512
ea11c04b92a76957dcebe9667bef1881fc9afa0f8c1547e23ada8125aa9e40d36e0efaf5749da346ba40c66da439cbd15bf98453e1f8dab4fe1efd5618fdc176

Download Submit
\Program Files (x86)\WasperApp\coreclr.dll

Filesize
4.8MB

MD5
9369162a572d150dca56c7ebcbb19285

SHA1
81ce4faeecbd9ba219411a6e61d3510aa90d971d

SHA256
871949a2ec19c183ccdacdea54c7b3e43c590eaf445e1b58817ee1cb3ce366d5

SHA512
1eb5eb2d90e3dd38023a3ae461f717837ce50c2f9fc5e882b0593ab81dae1748bdbb7b9b0c832451dfe3c1529f5e1894a451365b8c872a8c0a185b521dbcd16b

Download Submit
\Program Files (x86)\WasperApp\hostpolicy.dll

Filesize
388KB

MD5
a7e9ed205cf16318d90734d184f220d0

SHA1
10de2d33e05728e409e254441e864590b77e9637

SHA256
02c8dbe7bf1999352fc561cb35b51c6a88c881a4223c478c91768fdaf8e47b62

SHA512
3ecbaf20946e27d924a38c5a2bf11bac7b678b8c4ebf6f436c923ea935982500e97f91d0e934b7fd6b1fc2a2fd34e7d7b31dbbe91314a218724b3b2fd64c4052

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCE78.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCE78.tmp\LangDLL.dll

Filesize
5KB

MD5
50016010fb0d8db2bc4cd258ceb43be5

SHA1
44ba95ee12e69da72478cf358c93533a9c7a01dc

SHA256
32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e

SHA512
ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

Download Submit
\Users\Admin\AppData\Local\Temp\nsoCE78.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
memory/304-519-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/1100-518-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/1620-735-0x0000000077350000-0x00000000774F9000-memory.dmp

Filesize
1.7MB

Download
memory/1620-733-0x0000000072760000-0x00000000728D4000-memory.dmp

Filesize
1.5MB

Download
memory/1700-727-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1700-730-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/1700-732-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/1700-729-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/1700-715-0x0000000077350000-0x00000000774F9000-memory.dmp

Filesize
1.7MB

Download
memory/1700-714-0x0000000073160000-0x00000000732D4000-memory.dmp

Filesize
1.5MB

Download
memory/1700-728-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/1700-731-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/1716-572-0x00000000746B0000-0x0000000074824000-memory.dmp

Filesize
1.5MB

Download
memory/1716-571-0x0000000077350000-0x00000000774F9000-memory.dmp

Filesize
1.7MB

Download
memory/2508-533-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2508-569-0x00000000746B0000-0x0000000074824000-memory.dmp

Filesize
1.5MB

Download
memory/2508-535-0x0000000077350000-0x00000000774F9000-memory.dmp

Filesize
1.7MB

Download
memory/2508-534-0x00000000746B0000-0x0000000074824000-memory.dmp

Filesize
1.5MB

Download
memory/2712-462-0x000007FEF5F7A000-0x000007FEF5F7B000-memory.dmp

Filesize
4KB

Download
memory/2712-528-0x000007FEF5F7A000-0x000007FEF5F7B000-memory.dmp

Filesize
4KB

Download
memory/3044-672-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/3044-656-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/3044-604-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/3044-578-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3044-576-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/3044-575-0x0000000077350000-0x00000000774F9000-memory.dmp

Filesize
1.7MB

Download
memory/3044-574-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download