f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
Size

241KB
MD5

8f2b09351ea055aa7d21ea2361c98a4c
SHA1

d192b2308ff56f3a45fb9c433ee02d082828d49d
SHA256

f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e
SHA512

0cefb12432927d21a7d1a371d7b9fea2e4a4eb836f41388905fbde40f60fa0096d9622d01fb6a94227882de01edfa7f1447923dd918d2658973244643b53a3de
SSDEEP

6144:jfL+oq9k4prMAf+O/LE11c7ojuZUvyejrRX:jfLmkNX11GojuHefRX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 32 IoCs

pid	Process
2144	testamentary.exe
3064	squaring.exe
2728	testamentary.exe
2792	squaring.exe
2600	testamentary.exe
3000	squaring.exe
1012	testamentary.exe
2024	squaring.exe
2084	testamentary.exe
1552	squaring.exe
2588	testamentary.exe
2476	squaring.exe
760	testamentary.exe
2944	squaring.exe
1596	testamentary.exe
2152	squaring.exe
1716	testamentary.exe
3032	squaring.exe
2456	testamentary.exe
308	squaring.exe
2284	testamentary.exe
2416	squaring.exe
1164	testamentary.exe
2736	squaring.exe
2360	testamentary.exe
2404	squaring.exe
2992	testamentary.exe
2596	squaring.exe
1476	testamentary.exe
1912	squaring.exe
2128	testamentary.exe
2036	squaring.exe

Loads dropped DLL 64 IoCs

pid	Process
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2144	testamentary.exe
2144	testamentary.exe
2144	testamentary.exe
3064	squaring.exe
3064	squaring.exe
3064	squaring.exe
2728	testamentary.exe
2728	testamentary.exe
2728	testamentary.exe
2792	squaring.exe
2792	squaring.exe
2792	squaring.exe
2600	testamentary.exe
2600	testamentary.exe
2600	testamentary.exe
3000	squaring.exe
3000	squaring.exe
3000	squaring.exe
1012	testamentary.exe
1012	testamentary.exe
1012	testamentary.exe
2024	squaring.exe
2024	squaring.exe
2024	squaring.exe
2084	testamentary.exe
2084	testamentary.exe
2084	testamentary.exe
1552	squaring.exe
1552	squaring.exe
1552	squaring.exe
2588	testamentary.exe
2588	testamentary.exe
2588	testamentary.exe
2476	squaring.exe
2476	squaring.exe
2476	squaring.exe
760	testamentary.exe
760	testamentary.exe
760	testamentary.exe
2944	squaring.exe
2944	squaring.exe
2944	squaring.exe
1596	testamentary.exe
1596	testamentary.exe
1596	testamentary.exe
2152	squaring.exe
2152	squaring.exe
2152	squaring.exe
1716	testamentary.exe
1716	testamentary.exe
1716	testamentary.exe
3032	squaring.exe
3032	squaring.exe
3032	squaring.exe
2456	testamentary.exe
2456	testamentary.exe
2456	testamentary.exe
308	squaring.exe
308	squaring.exe
308	squaring.exe
2284	testamentary.exe
2284	testamentary.exe
2284	testamentary.exe
2416	squaring.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2144	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	30
PID 836 wrote to memory of 2144	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	30
PID 836 wrote to memory of 2144	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	30
PID 836 wrote to memory of 2144	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	30
PID 836 wrote to memory of 3064	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	31
PID 836 wrote to memory of 3064	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	31
PID 836 wrote to memory of 3064	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	31
PID 836 wrote to memory of 3064	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	31
PID 836 wrote to memory of 2728	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	33
PID 836 wrote to memory of 2728	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	33
PID 836 wrote to memory of 2728	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	33
PID 836 wrote to memory of 2728	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	33
PID 836 wrote to memory of 2792	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	34
PID 836 wrote to memory of 2792	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	34
PID 836 wrote to memory of 2792	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	34
PID 836 wrote to memory of 2792	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	34
PID 836 wrote to memory of 2600	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	35
PID 836 wrote to memory of 2600	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	35
PID 836 wrote to memory of 2600	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	35
PID 836 wrote to memory of 2600	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	35
PID 836 wrote to memory of 3000	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	36
PID 836 wrote to memory of 3000	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	36
PID 836 wrote to memory of 3000	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	36
PID 836 wrote to memory of 3000	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	36
PID 836 wrote to memory of 1012	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	37
PID 836 wrote to memory of 1012	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	37
PID 836 wrote to memory of 1012	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	37
PID 836 wrote to memory of 1012	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	37
PID 836 wrote to memory of 2024	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	38
PID 836 wrote to memory of 2024	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	38
PID 836 wrote to memory of 2024	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	38
PID 836 wrote to memory of 2024	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	38
PID 836 wrote to memory of 2084	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	39
PID 836 wrote to memory of 2084	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	39
PID 836 wrote to memory of 2084	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	39
PID 836 wrote to memory of 2084	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	39
PID 836 wrote to memory of 1552	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	40
PID 836 wrote to memory of 1552	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	40
PID 836 wrote to memory of 1552	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	40
PID 836 wrote to memory of 1552	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	40
PID 836 wrote to memory of 2588	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	41
PID 836 wrote to memory of 2588	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	41
PID 836 wrote to memory of 2588	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	41
PID 836 wrote to memory of 2588	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	41
PID 836 wrote to memory of 2476	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	42
PID 836 wrote to memory of 2476	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	42
PID 836 wrote to memory of 2476	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	42
PID 836 wrote to memory of 2476	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	42
PID 836 wrote to memory of 760	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	43
PID 836 wrote to memory of 760	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	43
PID 836 wrote to memory of 760	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	43
PID 836 wrote to memory of 760	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	43
PID 836 wrote to memory of 2944	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	44
PID 836 wrote to memory of 2944	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	44
PID 836 wrote to memory of 2944	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	44
PID 836 wrote to memory of 2944	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	44
PID 836 wrote to memory of 1596	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	45
PID 836 wrote to memory of 1596	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	45
PID 836 wrote to memory of 1596	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	45
PID 836 wrote to memory of 1596	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	45
PID 836 wrote to memory of 2152	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	46
PID 836 wrote to memory of 2152	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	46
PID 836 wrote to memory of 2152	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	46
PID 836 wrote to memory of 2152	836	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	46

C:\Users\Admin\AppData\Local\Temp\f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
"C:\Users\Admin\AppData\Local\Temp\f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2600
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2024
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2588
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2476
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:760
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2944
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2152
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:308
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2416
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\squaring.exe

Filesize
139KB

MD5
fda656c75b581d0dce6537d159052bcd

SHA1
a06523896f54e51a1a7269356634cc0bbb069edd

SHA256
4ce66c1b06bab37a85a93c5e7d7c9ba6f79da608fab33a00c44b8b0a9443309d

SHA512
8e7928c0e0439da880b7f2b036aa4f89cabb365bfe83c17184336580101c96d3b1f2c2ddc254a99a73d7cd0e203c40a1b22f68ad803070d2537c82fb95718106

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB4A0.tmp\testamentary.exe

Filesize
189KB

MD5
9101a7f1e09281d413ece6d825020d92

SHA1
9df34287601a77e65cec58843474108dd0309f54

SHA256
781c6b118a97dd0301788d1882b18242d2768ad40752cb622f70e80d7e3a0a88

SHA512
8f3e5068f47817593ddd3eeb48848a1a49ffbb62fbc935c3d90757625ab3aec2e19f34d45b583dbe39dbd5cad11e00e0eb888dda6ffa9952b0851d0ada616425

Download Submit