hijackloader | hxxp://wasper[.]app

Analysis

max time kernel
387s
max time network
386s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://wasper.app

Score

10^/10

hijackloader rhadamanthys stealc wasp18 discovery execution loader spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

wasp18

http://194.120.116.197

Attributes

url_path
/e70363f181409a35.php

Signatures

Detects HijackLoader (aka IDAT Loader) 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4012-1057-0x0000000000400000-0x00000000009E7000-memory.dmp	family_hijackloader
behavioral1/memory/4380-1136-0x0000000000E90000-0x0000000001036000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

explorer.exe

description pid process target process

PID 4712 created 3052 4712 explorer.exe sihost.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3032 powershell.exe
5984 powershell.exe
2300 powershell.exe
3608 powershell.exe
Downloads MZ/PE file

description	pid	process	target process
PID 4712 created 3052	4712	explorer.exe	sihost.exe

pid	process
3032	powershell.exe
5984	powershell.exe
2300	powershell.exe
3608	powershell.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Program Files (x86)\Wasper\Wasper.dll	net_reactor

Executes dropped EXE 4 IoCs

Processes:

Wasper Setup.exeWasper.exesnss1.exesnss2.exe

pid process

1476 Wasper Setup.exe
2832 Wasper.exe
4012 snss1.exe
4380 snss2.exe

Loads dropped DLL 55 IoCs

Processes:

Wasper Setup.exeWasper.exeexplorer.exe

pid	process
1476	Wasper Setup.exe
1476	Wasper Setup.exe
1476	Wasper Setup.exe
1476	Wasper Setup.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
2832	Wasper.exe
5848	explorer.exe
5848	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 2 IoCs

Processes:

snss1.exesnss2.exe

description pid process target process

PID 4012 set thread context of 5344 4012 snss1.exe cmd.exe
PID 4380 set thread context of 5188 4380 snss2.exe cmd.exe

description	pid	process	target process
PID 4012 set thread context of 5344	4012	snss1.exe	cmd.exe
PID 4380 set thread context of 5188	4380	snss2.exe	cmd.exe

Drops file in Program Files directory 64 IoCs

Processes:

Wasper Setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Wasper\pt-BR\WindowsFormsIntegration.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\ru\Microsoft.VisualBasic.Forms.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\zh-Hans\System.Windows.Forms.Design.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\Microsoft.DiaSymReader.Native.amd64.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Diagnostics.PerformanceCounter.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\mscordaccore.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\pl\System.Windows.Forms.Primitives.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\pt-BR\System.Windows.Forms.Primitives.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Reflection.Primitives.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Resources.Extensions.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\it\System.Xaml.resources.dll	Wasper Setup.exe
File opened for modification	C:\Program Files (x86)\Wasper\Wasper website.url	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Reflection.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\UIAutomationProvider.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\cs\System.Windows.Input.Manipulations.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\PresentationUI.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\it\UIAutomationClientSideProviders.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\es\System.Xaml.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Net.WebHeaderCollection.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Security.Claims.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\de\UIAutomationClient.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\pt-BR\PresentationUI.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Data.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Security.Cryptography.Xml.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Windows.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\Microsoft.Win32.Registry.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\pl\System.Windows.Input.Manipulations.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\pt-BR\UIAutomationTypes.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\pl\Microsoft.VisualBasic.Forms.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\ru\System.Windows.Input.Manipulations.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\ru\UIAutomationClientSideProviders.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Text.Json.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\hostfxr.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\it\WindowsBase.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\de\UIAutomationProvider.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\tr\UIAutomationClientSideProviders.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.IO.Compression.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\clrgc.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\cs\System.Xaml.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Security.AccessControl.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\ja\System.Xaml.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\pl\ReachFramework.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\Microsoft.Win32.Registry.AccessControl.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Reflection.DispatchProxy.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Windows.Presentation.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Diagnostics.Process.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\de\UIAutomationClientSideProviders.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\de\ReachFramework.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\fr\System.Windows.Controls.Ribbon.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\PresentationCore.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Net.Http.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Runtime.Intrinsics.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.ComponentModel.Annotations.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.IO.Compression.ZipFile.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\it\System.Windows.Forms.Primitives.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\pl\UIAutomationTypes.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\ru\System.Windows.Controls.Ribbon.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Net.Ping.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Resources.Writer.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.ComponentModel.EventBasedAsync.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.IO.IsolatedStorage.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\ko\System.Windows.Controls.Ribbon.resources.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\System.Runtime.Serialization.Json.dll	Wasper Setup.exe
File created	C:\Program Files (x86)\Wasper\it\UIAutomationTypes.resources.dll	Wasper Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 573451.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 573451.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exesnss1.execmd.exeexplorer.exesnss2.execmd.exeexplorer.exeopenwith.exe

pid	process
3616	msedge.exe
3616	msedge.exe
3656	msedge.exe
3656	msedge.exe
212	identity_helper.exe
212	identity_helper.exe
5776	msedge.exe
5776	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
2588	msedge.exe
3032	powershell.exe
3032	powershell.exe
3032	powershell.exe
5984	powershell.exe
5984	powershell.exe
5984	powershell.exe
2300	powershell.exe
2300	powershell.exe
2300	powershell.exe
3608	powershell.exe
3608	powershell.exe
3608	powershell.exe
4012	snss1.exe
4012	snss1.exe
4012	snss1.exe
5344	cmd.exe
5344	cmd.exe
5344	cmd.exe
5344	cmd.exe
5848	explorer.exe
5848	explorer.exe
4380	snss2.exe
4380	snss2.exe
5188	cmd.exe
5188	cmd.exe
4712	explorer.exe
4712	explorer.exe
5044	openwith.exe
5044	openwith.exe
5044	openwith.exe
5044	openwith.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

snss1.execmd.exesnss2.execmd.exe

pid process

4012 snss1.exe
5344 cmd.exe
4380 snss2.exe
5188 cmd.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

3656 msedge.exe
3656 msedge.exe
3656 msedge.exe
3656 msedge.exe
3656 msedge.exe
3656 msedge.exe
3656 msedge.exe
3656 msedge.exe
3656 msedge.exe

pid	process
4012	snss1.exe
5344	cmd.exe
4380	snss2.exe
5188	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	5984	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

msedge.exe

pid	process
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Wasper Setup.exeWasper.exesnss1.exesnss2.exe

pid process

1476 Wasper Setup.exe
2832 Wasper.exe
4012 snss1.exe
4380 snss2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3656 wrote to memory of 4376	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 4376	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 1980	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3616	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3616	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe
PID 3656 wrote to memory of 3820	3656	msedge.exe	msedge.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3052

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://wasper.app
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba7e146f8,0x7ffba7e14708,0x7ffba7e14718
2⤵
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
2⤵
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
2⤵
PID:3820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
2⤵
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
2⤵
PID:728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
2⤵
PID:1700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4080 /prefetch:8
2⤵
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
2⤵
PID:924

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
2⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
2⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
2⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
2⤵
PID:1452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
2⤵
PID:5276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
2⤵
PID:5456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5636 /prefetch:8
2⤵
PID:5464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6268 /prefetch:8
2⤵
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5776

C:\Users\Admin\Downloads\Wasper Setup.exe
"C:\Users\Admin\Downloads\Wasper Setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Program Files (x86)\Wasper\Wasper.exe
"C:\Program Files (x86)\Wasper\Wasper.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Users\Admin\AppData\Local\Temp\45240879-d37b-4928-947d-5acc6d9d29b1\snss1.exe
"C:\Users\Admin\AppData\Local\Temp\45240879-d37b-4928-947d-5acc6d9d29b1\snss1.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5344

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
6⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5848

C:\Users\Admin\AppData\Local\Temp\45240879-d37b-4928-947d-5acc6d9d29b1\snss2.exe
"C:\Users\Admin\AppData\Local\Temp\45240879-d37b-4928-947d-5acc6d9d29b1\snss2.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5188

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,15862822784228732305,15568321014457119736,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4788 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:560

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d4 0x418
1⤵
PID:2064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Wasper\System.Collections.Concurrent.dll
Filesize
270KB

MD5
38d21e067d7673194a84cced59066ac8

SHA1
e64362176f714b23603f3a67f1e741f12e35a832

SHA256
483130bfd1e57a0cbfd8a4f3c6e2353ac3f246276f9476c83cca1cadbc47ef47

SHA512
3fa6f78ff0cb527a8e82261549f24a8609d005821ac5c5e7257670dffd55472a134af3ef78d73779758303ae5a90728181cd4caebc871c5cfa4c309141201baf

Download Submit
C:\Program Files (x86)\Wasper\System.Collections.dll
Filesize
254KB

MD5
92063926c04f2e4bf5b5fde16542831d

SHA1
e7be34eaff2d3d8796911d21f1fdbb93bf231dec

SHA256
9193aaef3ea8f19408f88c25fcaf5880e7836d1c35028d7e4077f6090b083541

SHA512
e855ee37980d1da2d143ee39133b05fff81937e529cffe74433e73088549daabd3abadbf05f3765bf3ffffd50313f0ed966efec0eb244d7363241affd73cc29f

Download Submit
C:\Program Files (x86)\Wasper\System.IO.FileSystem.dll
Filesize
15KB

MD5
35e27f4c681085a4b096826ee8ea4f53

SHA1
cf3ea4304e5558c8fdd4422e4d72509cd91ea719

SHA256
7bd41c6b12b73e6e90476f2d56db8581664abe07e7ab9bf2917bb254ed1d75ad

SHA512
1f9e6519ff29524e57cb0b3576ab118014293aade8f30027ef44b1f29a8e9a54e7bcb3b288a92dba996053b16016807d93fa9f44f2c43666ddc6425ddd7ae4b9

Download Submit
C:\Program Files (x86)\Wasper\System.Memory.dll
Filesize
154KB

MD5
7e999da530c21a292cec8a642127b8c8

SHA1
6585d0260ae98bab2ad1eaba0f9cfe8ebb8a0b3f

SHA256
3af25e0c81c1462d0db86f55c4e5fd8c048c70685f9a566d29d499bc46935fb4

SHA512
a18b6649b5c2f9f96bf639863df9faad436759200a64f91fb2d955f33c71ce4b2d5798be982f692a247ac864d8acb63fb731b31c06333e5c7d9a9c895ecd6451

Download Submit
C:\Program Files (x86)\Wasper\System.Private.CoreLib.dll
Filesize
12.6MB

MD5
805cf170e27dd31219a6b873c17dce88

SHA1
ac90fa4690a8b54b6248dcb4c41a2c9a74547667

SHA256
ba7e61a00e7a4634b5c5a79b83126f75580ceec235c613000c3efbc01826cad0

SHA512
fa946aae906b66cb5570155a1c77340f2b6d4efb9be16068da03a8f1c5b5f37ad847d65cd1416017db19375dc6a72670300da4c766e6d9bb1a00374f492bd866

Download Submit
C:\Program Files (x86)\Wasper\System.Private.Xml.Linq.dll
Filesize
394KB

MD5
60ed8b2bffc748d6a2a1fed8fa923368

SHA1
be411429b9a649a495124558c5e5d95a83525d58

SHA256
0b63cebb991d1911a607993ea5b4639f34a2b0b381a73973542db2d3591e9f90

SHA512
b0a4ac2aa96d827258bb30f098512741ad3f93585e05ceae0255e15cd8dc9ab8048788902c1eb32a813e9c69c8a923200a716b4e00f579c22a0b425665e575f8

Download Submit
C:\Program Files (x86)\Wasper\System.Private.Xml.dll
Filesize
7.6MB

MD5
46aebfbd6d7e74d4d558da62d7600d25

SHA1
9c1cd44ab8b5e283967427e91cbddddfc0c2bf5a

SHA256
834e304221e742a831be5c5178892258e689eae35b730172e74161af2785aab9

SHA512
9c4499d174a988cc3830aafcc42f79defff37b16198f49cf5d2dc86f88809fcb44e0c300351f813d46addf9998f64448c50213f1721c6a307aad21c205db1524

Download Submit
C:\Program Files (x86)\Wasper\System.Reflection.Emit.ILGeneration.dll
Filesize
15KB

MD5
0332c7e8e9a330080d6f0fb6c9b17b3f

SHA1
f168f25ccade467fe0efaac6ad2a09c1f2cb783b

SHA256
879b6c4221cb2bf24b79abca0709b2919904d8685fff5a69220fe6c2425d4112

SHA512
c3c4026d41f4e7832bf94e921fd6937918001fa98c52c5a8c115b5d538ad348425e290d93187af4779424b8142aca9b8bbfb6c5a1493ff2be655a2637b454512

Download Submit
C:\Program Files (x86)\Wasper\System.Reflection.Emit.Lightweight.dll
Filesize
15KB

MD5
23120034a510d234c79711940d1b809d

SHA1
1b1cb29537a8b78279909a794159fc4c70174430

SHA256
0518f171d45803ce07a79b27eb65e5d3277b711d15c8d2fd5964e044167db49f

SHA512
99af585ef71ff917d4c77f46b189cc14d1cd4efe9b35e6c33d0eef8112158574c8fb417801cf5207e412f7254de1a8cd789e208e17f01cd19ebafb7b133afd2a

Download Submit
C:\Program Files (x86)\Wasper\System.Reflection.Primitives.dll
Filesize
15KB

MD5
579b0fcf2dfe1a1250a0ad29ed54b1f8

SHA1
2157ad05803ec234606bf7e547bf644021b4f6fe

SHA256
d7769658065897653651107e0138f6bb7515932886374ba11833176a931411d7

SHA512
2666a0ac8591905af580afb25163485d773896d38de5f6a04b571103a821d7221d0e60ccee7752740e3465015b6bbea306e5fc9634e4c6c46b2d0c9d8da4c9c6

Download Submit
C:\Program Files (x86)\Wasper\System.Runtime.InteropServices.dll
Filesize
94KB

MD5
49c86e36b713e2b7daeb7547cede45fb

SHA1
75fe38864362226d2cce32b2c25432b1fd18ba37

SHA256
756de3f5f2e07b478ac046a0ac976b992ef6bc653a1be2bb1e28524a4ff8d67d

SHA512
a9bd42b626158c540be04f8d392620daba544a55b7438d6caefe93b9df10ec2219f28959c4e0d706a86b92008275de94dfdf19de730787cdacf46d99fc45e3a9

Download Submit
C:\Program Files (x86)\Wasper\System.Runtime.dll
Filesize
42KB

MD5
53501b2f33c210123a1a08a977d16b25

SHA1
354e358d7cf2a655e80c4e4a645733c3db0e7e4d

SHA256
1fc86ada2ec543a85b8a06a9470a7b5aaa91eb03cfe497a32cd52a1e043ea100

SHA512
9ef3b47ddd275de9dfb5ded34a69a74af2689ebcb34911f0e4ffef9e2faf409e2395c7730bce364b5668b2b3b3e05a7b5998586563fb15e22c223859b2e77796

Download Submit
C:\Program Files (x86)\Wasper\System.Security.Cryptography.Algorithms.dll
Filesize
17KB

MD5
8f3b379221c31a9c5a39e31e136d0fda

SHA1
e57e8efe5609b27e8c180a04a16fbe1a82f5557d

SHA256
c99c6b384655e1af4ae5161fe9d54d95828ae17b18b884b0a99258f1c45aa388

SHA512
377f4e611a7cf2d5035f4622c590572031a476dd111598168acea1844aaa425c0fe012c763fbc16290c7b32c6c7df7b2563c88227e3dbc5d2bd02250c9d368d9

Download Submit
C:\Program Files (x86)\Wasper\System.Security.Cryptography.Csp.dll
Filesize
15KB

MD5
c7f55dbc6f5090194c5907054779e982

SHA1
efa17e697b8cfd607c728608a3926eda7cd88238

SHA256
16bc1f72938d96deca5ce031a29a43552385674c83f07e4f91d387f5f01b8d0a

SHA512
ae0164273b04afdec2257ae30126a8b44d80ee52725009cc917d28d09fcfb19dfbbb3a817423e98af36f773015768fed9964331d992ad1830f6797b854c0c355

Download Submit
C:\Program Files (x86)\Wasper\System.Security.Cryptography.Primitives.dll
Filesize
15KB

MD5
777ac34f9d89c6e4753b7a7b3be4ca29

SHA1
27e4bd1bfd7c9d9b0b19f3d6008582b44c156443

SHA256
6703e8d35df4b6389f43df88cc35fc3b3823fb3a7f04e5eb540b0af39f5fa622

SHA512
a791fa27b37c67ace72956680c662eb68f053fa8c8f4205f6ed78ecb2748d27d9010a8de94669d0ee33a8fca885380f8e6cfad9f475b07f60d34cdcb02d57439

Download Submit
C:\Program Files (x86)\Wasper\System.Security.Cryptography.dll
Filesize
2.0MB

MD5
75f18d3666eb009dd86fab998bb98710

SHA1
b273f135e289d528c0cfffad5613a272437b1f77

SHA256
4582f67764410785714a30fa05ffaaad78fe1bc8d4689889a43c2af825b2002e

SHA512
9e110e87e00f42c228729e649903ad649b962ae28900d486ee8f96c47acca094dbace608f9504745abf7e69597cdef3c6b544b5194703882a0a7f27b011fa8d5

Download Submit
C:\Program Files (x86)\Wasper\System.Threading.Thread.dll
Filesize
15KB

MD5
72d839e793c4f3200d4c5a6d4aa28d20

SHA1
fbc25dd97b031a6faddd7e33bc500719e8eead19

SHA256
84c9a95609878542f00fe7da658f62d1a6943a43e6346af80d26bcff069a4dbd

SHA512
a414cd9d7cf6a04709f3bdbef0295349b845a8301171ed6394e97b9993f35816383b958736c814f91c359a783cca86ee04802856486d4b4e0ab90a45da39db1d

Download Submit
C:\Program Files (x86)\Wasper\System.Threading.dll
Filesize
82KB

MD5
32aa6e809d0ddb57806c6c23b584440e

SHA1
6bd651b9456f88a28f7054af475031afe52b7b64

SHA256
e8d1f5c422ee0ba3b235b22028ab92dc77c1ff9774edc0b940cad7224a30ba7d

SHA512
fe43b3d6ed5c37d59a44636d3c7522a88d83e6ec074bf69d3cbb6e5454fdd8f0523ea10fdf6fd452cbd0e2fc159cf9d03dfad6b30e80e400e7f1773b5a2e8632

Download Submit
C:\Program Files (x86)\Wasper\Wasper.dll
Filesize
768KB

MD5
272dcf8bbd5f8ec1cc9e516104621be0

SHA1
e224eec94f7224d2d25f8aa3f2103320144b83d1

SHA256
0d943902cdf7ce56276e60e2b1bed404c47f4cfb711ed879b8e9a0eda2aabf40

SHA512
3f0de43d8436df67e71a6f0f4536389c332a9d57916dfe734d4e24d5a5114bf32aa1e33a68da47ae3dbaa2ded511f4cf98186c8d54bfae7ab9d9ff3bb577a484

Download Submit
C:\Program Files (x86)\Wasper\Wasper.exe
Filesize
307KB

MD5
a1d56f16a196f9d2c5cc8464d23ded53

SHA1
20b964bfa8ae41e5872f4dba559bdabf49635c3b

SHA256
49a924c91909318361eb7c0c5af1df5a9ebe5eaf2c38e14c84a51ce42c2586b5

SHA512
e19d896e7dce5b8c82c0013820f2012ac2c19575a8395b36095194ca5d02e1302cb9c91143419b0b1ae1a9804c8ec9370ff6899396fe97e1536a240b89274e7d

Download Submit
C:\Program Files (x86)\Wasper\clrjit.dll
Filesize
1.7MB

MD5
8b81a3f0521b10e9de59507fe8efd685

SHA1
0516ff331e09fbd88817d265ff9dd0b647f31acb

SHA256
0759c8129bc761fe039e1cacb92c643606591cb8149a2ed33ee16babc9768dcb

SHA512
ea11c04b92a76957dcebe9667bef1881fc9afa0f8c1547e23ada8125aa9e40d36e0efaf5749da346ba40c66da439cbd15bf98453e1f8dab4fe1efd5618fdc176

Download Submit
C:\Program Files (x86)\Wasper\coreclr.dll
Filesize
4.8MB

MD5
9369162a572d150dca56c7ebcbb19285

SHA1
81ce4faeecbd9ba219411a6e61d3510aa90d971d

SHA256
871949a2ec19c183ccdacdea54c7b3e43c590eaf445e1b58817ee1cb3ce366d5

SHA512
1eb5eb2d90e3dd38023a3ae461f717837ce50c2f9fc5e882b0593ab81dae1748bdbb7b9b0c832451dfe3c1529f5e1894a451365b8c872a8c0a185b521dbcd16b

Download Submit
C:\Program Files (x86)\Wasper\hostfxr.dll
Filesize
342KB

MD5
16532d13721ba4eac3ca60c29eefb16d

SHA1
f058d96f8e93b5291c07afdc1d891a8cc3edc9a0

SHA256
5aa15c6119b971742a7f824609739198a3c7c499370ed8b8df5a5942f69d9303

SHA512
9da30d469b4faed86a4bc62617b309f34e6bda66a3021b4a27d197d4bcb361f859c1a7c0aa2d16f0867ad93524b62a5f4e5ae5cf082da47fece87fc3d32ab100

Download Submit
C:\Program Files (x86)\Wasper\hostpolicy.dll
Filesize
388KB

MD5
a7e9ed205cf16318d90734d184f220d0

SHA1
10de2d33e05728e409e254441e864590b77e9637

SHA256
02c8dbe7bf1999352fc561cb35b51c6a88c881a4223c478c91768fdaf8e47b62

SHA512
3ecbaf20946e27d924a38c5a2bf11bac7b678b8c4ebf6f436c923ea935982500e97f91d0e934b7fd6b1fc2a2fd34e7d7b31dbbe91314a218724b3b2fd64c4052

Download Submit
C:\Program Files (x86)\Wasper\mscorrc.dll
Filesize
133KB

MD5
53e03d5e3bffa02fbc7fb1420ac8e858

SHA1
36c44c9ff39815aa167f341c286c5cd1514f771f

SHA256
23a433398be5135222ee14bb1de6334e7b22bad1a38664a83f1cf19dfbddd960

SHA512
f6aca16b90f6b4efa413dc9a8f1d05e83c1e3791b2cb988f9bce69d5272a0077c1edcae4111a494d166b5e3ab4e25956dead4e93ee1e43417c2b7bb082292170

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
eaaad45aced1889a90a8aa4c39f92659

SHA1
5c0130d9e8d1a64c97924090d9a5258b8a31b83c

SHA256
5e3237f26b6047f64459cd5d3a6bc3563e2642b98d75b97011c93e0a9bd26f3b

SHA512
0db1c6bdb51f4e6ba5ef4dc12fc73886e599ab28f1eec5d943110bc3d856401ca31c05baa9026dd441b69f3de92307eb77d93f089ba6e2b84eea6e93982620e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3ee50fb26a9d3f096c47ff8696c24321

SHA1
a8c83e798d2a8b31fec0820560525e80dfa4fe66

SHA256
d80ec29cb17280af0c7522b30a80ffa19d1e786c0b09accfe3234b967d23eb6f

SHA512
479c0d2b76850aa79b58f9e0a8ba5773bd8909d915b98c2e9dc3a95c0ac18d7741b2ee571df695c0305598d89651c7aef2ff7c2fedb8b6a6aa30057ecfc872c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
264B

MD5
c6bd61e4586f4cafabb535a7bfe6f86c

SHA1
b440f0e7982398b786ca93e7d4e8dbb3d2d53941

SHA256
560a6a1dcd0e750a1ded0d05c8ae331b16f8b8e26706e013f524b2d62827c13b

SHA512
5d5a852f581bc64799231d8a2640953026d335fcac64adae6d332ca6f6b880a4f692ace8c0da1e2165a4f9d6b2a6ff73a01333a6e2b9945d31fe8a2aa7571699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
98feb2bf50859cebd2196ccc037b64e2

SHA1
e96a203b7a4971bac2e041d0e23c02d986f9749a

SHA256
5d494fdc786b96862f5c4243f78c98505400514356855d993a6f51b1b824ead4

SHA512
a3c9e401f61c0c1729033a5eca3e4eb40290b65e1baca81d342c660322c61cdde0907f0cdcb094948cb936b567653d7e246b1af37e9ecef2cec5c30822f64111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
96d727bd30936275d45e69fb4668b93d

SHA1
b3396005a2b33a2fab0ffc204fe7d2ff822de8f4

SHA256
ef183364e69faefcd32dccc5bf6e5552cff29c03421c577e598490f2e396c91c

SHA512
d83697c7169fbcba13bc4a61b0c1a1536755f2e059e98199d414625b4b50e4b26806a3cca0736b78148669aa2450859f1e5efa71ffb54cba4dbc91e9c4f2bae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
1dec1d40054a8c0fbe12e1b7acfc2c57

SHA1
96c7dabff85a2f66af9a02c46495bdb6e3ec3a40

SHA256
5facb77cbebc7295462fd1965642fb3baee6bc1ab5d6414afbd9ee3e48c9fe10

SHA512
45b9d5776501a6ab475c3489c44973ba43f75c3fd479d58cf66fd9975101ac6991d1b6aa4102ae6f936bbd3d5ee568a26940126925bcbcc16bce023b715da32e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d393e74b73f502342e19e6fd4c2cb4bd

SHA1
14b554f5cdb4de8f6ee8d010fb8e07fc06f2d6f2

SHA256
e658f7fe4fce3a478550ce1875a69c31e1f16fa779c4bb6b1c4dadd1eeffcdfe

SHA512
25cbd88380d1eadf785350697245640549732d2bd4158b878b8efd1af209d08befc7a1c633aad39d9e31acf315a8f1d00f1b5426b602b44ddc06f6e196f7eb41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d304066af41f29b8a4dded67a003dd66

SHA1
16d4c02f1a1a273074d3ab7b7f56cf49de52849f

SHA256
6648455ae36632778e7917ae562a101c6d9f1d6a3b27b4d944f4b2137560008a

SHA512
42838c7e8dfa4968665e38abfae090670fe5047b6536758c98f795767353b1aec19893271a66d9355a123ff69a68e555abe99ec8fd875a09c7604b353655e6ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
706B

MD5
788ee7f6fb3d01c756f89dca1d6ad8e9

SHA1
77eab06ffff3f8f49dc33e86642a88db03895996

SHA256
0bf0b4299fb8e52caac413cb9f03a0a9032eee20cc69631c009d31e9431d1eab

SHA512
0fa72980464eff2b00a2eafba6dafb8b94f60c66a828399ff253d57cc649cf0a1f2d0aba532144f3b29a0f43a279cfa4172cbecf00c35e5fad54c2d84b6075e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c12d.TMP
Filesize
372B

MD5
18bb5a1bce87fa9200e9408cf48b0a8a

SHA1
24105a701f7e0037dc4ea696177a3633249c62ef

SHA256
06f919864b45925931b4a58f584abafd63063e3c9727a9d5b7cc07f0823026a3

SHA512
cfae9d8971241b6d8f368ec781a57e7941d8f8f76825e9987a8de0e4e1fe8185d08b4bcd9b6dade02e640646a776f5128af472e199b268a02faed756841bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ccb0ddffb984f763787142a586bd75fd

SHA1
05cc01d57316584d65ebc156b0d36eecd7005804

SHA256
336c2621cb3a0a907463ae093ce41d2549d2bf7c239ac0b58b22f6679ff5ecda

SHA512
b2f894632861a699bbc3cff8fc08577159ebea5003b50da6ebb15bc21cb78918ec78f61ef10c422f3f0ed9dd54cb26313b2ea888dbbd9574d5433dcbc07bf77a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
65034869beaaced1deebde7ff8bb411c

SHA1
2e746698a763f459cb32ae9b501affa17cda0512

SHA256
ed53ad5b643d30121217e3ec54f827c7ec28c055b9d44cb595641d5e0b6d12eb

SHA512
4c6c5b4e515d10b05915dc764f6e851d91533c40fc05c0648f8e14ba3d444889507fb8c9427672c66c7277f2f70ae26844f52ec8f16ccfc4cc3c768f8f490af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ai3pqvuw.hzf.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspE8C7.tmp\InstallOptions.dll
Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspE8C7.tmp\LangDLL.dll
Filesize
5KB

MD5
50016010fb0d8db2bc4cd258ceb43be5

SHA1
44ba95ee12e69da72478cf358c93533a9c7a01dc

SHA256
32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e

SHA512
ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspE8C7.tmp\System.dll
Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspE8C7.tmp\ioSpecial.ini
Filesize
1KB

MD5
0b2563048a4dffcc3d75e2fb9c15fbb3

SHA1
c194cd563936a888b4383785a098110d49b87292

SHA256
893dae12015e4c6e6d189be3557a43090fc04581e8f02482eb588e50c042b64d

SHA512
ad14eb5b5f33d17fdf3fe6a056eb05e9499a812d30459467930a31a4ca89d2c91a978b2bf8498a7c5ada691ac3645d29c7533796be18f1669a532b3b85d5e76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspE8C7.tmp\ioSpecial.ini
Filesize
1KB

MD5
e32ce1d4f55055d158fd1e95740cc900

SHA1
39647adadd32f1aa9770b5050749a142b6a11161

SHA256
f2a95237b580ddac8d3c889dae1598d8732b7e9afd0047bcf28d9175cb42d646

SHA512
bc429f3ccbc64ff711b61901f8d938ae9be1cafe73359f882427b3bc9683c1e33903bb0d9c48a446588ee2468a5097f14337ced61d971be50bd6c7e054110d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspE8C7.tmp\ioSpecial.ini
Filesize
1KB

MD5
18e737b25a9fda15778927588b8aec81

SHA1
6b29a51cfc0b1f155bcad7765a2126d16265ea62

SHA256
01a610e8ca62ff5753acdf84ab5ad4d7edd1eaed8e3a45dfc47ff2ede6e47b12

SHA512
9297e76b223873b8d50ed57ac00a6c3c08442959352f9407cea9cdc5f25110c30d8d1e8c3b098ee2c0d2afcccbba3ec74006e07e25e126db339cc0aa5d3e43e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspE8C7.tmp\ioSpecial.ini
Filesize
1KB

MD5
588725b87362f16949849270d02aba0a

SHA1
e8c71e3700134aeb03cd49ba9ea0e5bd96352b93

SHA256
40fe6ff2cdddf91cbc7d7da2c4a5af9007aee2ec84f0a5aca2a9cb095c68fc0c

SHA512
b5b8436b15e1833cc6490cd20fdf3dbcc882111b800953bca1de762918a9059d6fff1d4ec6094a9adfb0e641b300b8e914ddd03616c4305387bc1a7072928c0a

Download Submit
C:\Users\Admin\Downloads\Wasper Setup.exe
Filesize
47.4MB

MD5
b01e2c78075fc20ac1bf3635cd1e53e8

SHA1
e539a206ad13f44f79df130aba22bfbd391fa419

SHA256
6be33f65dec182a41c3e8b2b571fa14247f7b9becf78a005ac5f59b72f168387

SHA512
c72c1e4ca2878b5657cd9aa7d2d4492ae8bc32488c4c4fce744e13c7644b9003b3f69d1f394fc2544619d6489e3167045cfd379bd040a9a2181a51aa4a1e2482

Download Submit
\??\pipe\LOCAL\crashpad_3656_JWBKFNKGTYDCSLLQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3032-1021-0x0000014AC6740000-0x0000014AC6762000-memory.dmp

Filesize
136KB

Download
memory/4012-1057-0x0000000000400000-0x00000000009E7000-memory.dmp

Filesize
5.9MB

Download
memory/4012-1058-0x0000000074710000-0x000000007488B000-memory.dmp

Filesize
1.5MB

Download
memory/4012-1059-0x00007FFBB7570000-0x00007FFBB7765000-memory.dmp

Filesize
2.0MB

Download
memory/4012-1060-0x0000000074710000-0x000000007488B000-memory.dmp

Filesize
1.5MB

Download
memory/4380-1136-0x0000000000E90000-0x0000000001036000-memory.dmp

Filesize
1.6MB

Download
memory/4380-1139-0x0000000075160000-0x00000000752DB000-memory.dmp

Filesize
1.5MB

Download
memory/4380-1138-0x00007FFBB7570000-0x00007FFBB7765000-memory.dmp

Filesize
2.0MB

Download
memory/4380-1137-0x0000000075160000-0x00000000752DB000-memory.dmp

Filesize
1.5MB

Download
memory/4712-1145-0x00007FFBB7570000-0x00007FFBB7765000-memory.dmp

Filesize
2.0MB

Download
memory/4712-1144-0x00000000001A0000-0x000000000021F000-memory.dmp

Filesize
508KB

Download
memory/4712-1148-0x00000000001A0000-0x000000000021F000-memory.dmp

Filesize
508KB

Download
memory/4712-1146-0x00000000001A0000-0x000000000021F000-memory.dmp

Filesize
508KB

Download
memory/4712-1150-0x0000000004A70000-0x0000000004E70000-memory.dmp

Filesize
4.0MB

Download
memory/4712-1149-0x0000000004A70000-0x0000000004E70000-memory.dmp

Filesize
4.0MB

Download
memory/4712-1156-0x00000000001A0000-0x000000000021F000-memory.dmp

Filesize
508KB

Download
memory/4712-1153-0x0000000075E40000-0x0000000076055000-memory.dmp

Filesize
2.1MB

Download
memory/5044-1154-0x0000000000A60000-0x0000000000A69000-memory.dmp

Filesize
36KB

Download
memory/5044-1158-0x0000000002630000-0x0000000002A30000-memory.dmp

Filesize
4.0MB

Download
memory/5044-1161-0x0000000075E40000-0x0000000076055000-memory.dmp

Filesize
2.1MB

Download
memory/5044-1159-0x00007FFBB7570000-0x00007FFBB7765000-memory.dmp

Filesize
2.0MB

Download
memory/5188-1141-0x00007FFBB7570000-0x00007FFBB7765000-memory.dmp

Filesize
2.0MB

Download
memory/5188-1142-0x0000000075160000-0x00000000752DB000-memory.dmp

Filesize
1.5MB

Download
memory/5344-1063-0x00007FFBB7570000-0x00007FFBB7765000-memory.dmp

Filesize
2.0MB

Download
memory/5344-1064-0x0000000074710000-0x000000007488B000-memory.dmp

Filesize
1.5MB

Download
memory/5848-1071-0x00000000004D0000-0x000000000070E000-memory.dmp

Filesize
2.2MB

Download
memory/5848-1066-0x00000000004D0000-0x000000000070E000-memory.dmp

Filesize
2.2MB

Download
memory/5848-1067-0x00007FFBB7570000-0x00007FFBB7765000-memory.dmp

Filesize
2.0MB

Download
memory/5848-1068-0x00000000004D0000-0x000000000070E000-memory.dmp

Filesize
2.2MB

Download
memory/5848-1134-0x00000000004D0000-0x000000000070E000-memory.dmp

Filesize
2.2MB

Download
memory/5848-1073-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download