f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2024 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
Size

241KB
MD5

8f2b09351ea055aa7d21ea2361c98a4c
SHA1

d192b2308ff56f3a45fb9c433ee02d082828d49d
SHA256

f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e
SHA512

0cefb12432927d21a7d1a371d7b9fea2e4a4eb836f41388905fbde40f60fa0096d9622d01fb6a94227882de01edfa7f1447923dd918d2658973244643b53a3de
SSDEEP

6144:jfL+oq9k4prMAf+O/LE11c7ojuZUvyejrRX:jfLmkNX11GojuHefRX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 32 IoCs

pid	Process
2756	testamentary.exe
4228	squaring.exe
2988	testamentary.exe
1948	squaring.exe
2260	testamentary.exe
4416	squaring.exe
2768	testamentary.exe
2472	squaring.exe
4064	testamentary.exe
376	squaring.exe
4500	testamentary.exe
4672	squaring.exe
4748	testamentary.exe
4316	squaring.exe
4068	testamentary.exe
4792	squaring.exe
532	testamentary.exe
4560	squaring.exe
3812	testamentary.exe
4128	squaring.exe
4276	testamentary.exe
3468	squaring.exe
2508	testamentary.exe
1856	squaring.exe
2628	testamentary.exe
3376	squaring.exe
4952	testamentary.exe
3896	squaring.exe
2864	testamentary.exe
2084	squaring.exe
3924	testamentary.exe
2492	squaring.exe

Loads dropped DLL 1 IoCs

pid	Process
4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2756	testamentary.exe
2756	testamentary.exe
2756	testamentary.exe
2756	testamentary.exe
4228	squaring.exe
4228	squaring.exe
4228	squaring.exe
4228	squaring.exe
2988	testamentary.exe
2988	testamentary.exe
2988	testamentary.exe
2988	testamentary.exe
1948	squaring.exe
1948	squaring.exe
1948	squaring.exe
1948	squaring.exe
2260	testamentary.exe
2260	testamentary.exe
2260	testamentary.exe
2260	testamentary.exe
4416	squaring.exe
4416	squaring.exe
4416	squaring.exe
4416	squaring.exe
2768	testamentary.exe
2768	testamentary.exe
2768	testamentary.exe
2768	testamentary.exe
2472	squaring.exe
2472	squaring.exe
2472	squaring.exe
2472	squaring.exe
4064	testamentary.exe
4064	testamentary.exe
4064	testamentary.exe
4064	testamentary.exe
376	squaring.exe
376	squaring.exe
376	squaring.exe
376	squaring.exe
4500	testamentary.exe
4500	testamentary.exe
4500	testamentary.exe
4500	testamentary.exe
4672	squaring.exe
4672	squaring.exe
4672	squaring.exe
4672	squaring.exe
4748	testamentary.exe
4748	testamentary.exe
4748	testamentary.exe
4748	testamentary.exe
4316	squaring.exe
4316	squaring.exe
4316	squaring.exe
4316	squaring.exe
4068	testamentary.exe
4068	testamentary.exe
4068	testamentary.exe
4068	testamentary.exe
4792	squaring.exe
4792	squaring.exe
4792	squaring.exe
4792	squaring.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 2756	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	85
PID 4312 wrote to memory of 2756	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	85
PID 4312 wrote to memory of 4228	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	87
PID 4312 wrote to memory of 4228	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	87
PID 4312 wrote to memory of 4228	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	87
PID 4312 wrote to memory of 2988	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	88
PID 4312 wrote to memory of 2988	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	88
PID 4312 wrote to memory of 1948	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	89
PID 4312 wrote to memory of 1948	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	89
PID 4312 wrote to memory of 1948	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	89
PID 4312 wrote to memory of 2260	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	90
PID 4312 wrote to memory of 2260	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	90
PID 4312 wrote to memory of 4416	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	91
PID 4312 wrote to memory of 4416	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	91
PID 4312 wrote to memory of 4416	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	91
PID 4312 wrote to memory of 2768	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	92
PID 4312 wrote to memory of 2768	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	92
PID 4312 wrote to memory of 2472	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	93
PID 4312 wrote to memory of 2472	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	93
PID 4312 wrote to memory of 2472	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	93
PID 4312 wrote to memory of 4064	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	97
PID 4312 wrote to memory of 4064	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	97
PID 4312 wrote to memory of 376	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	98
PID 4312 wrote to memory of 376	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	98
PID 4312 wrote to memory of 376	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	98
PID 4312 wrote to memory of 4500	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	99
PID 4312 wrote to memory of 4500	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	99
PID 4312 wrote to memory of 4672	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	100
PID 4312 wrote to memory of 4672	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	100
PID 4312 wrote to memory of 4672	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	100
PID 4312 wrote to memory of 4748	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	101
PID 4312 wrote to memory of 4748	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	101
PID 4312 wrote to memory of 4316	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	102
PID 4312 wrote to memory of 4316	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	102
PID 4312 wrote to memory of 4316	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	102
PID 4312 wrote to memory of 4068	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	103
PID 4312 wrote to memory of 4068	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	103
PID 4312 wrote to memory of 4792	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	104
PID 4312 wrote to memory of 4792	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	104
PID 4312 wrote to memory of 4792	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	104
PID 4312 wrote to memory of 532	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	105
PID 4312 wrote to memory of 532	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	105
PID 4312 wrote to memory of 4560	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	106
PID 4312 wrote to memory of 4560	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	106
PID 4312 wrote to memory of 4560	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	106
PID 4312 wrote to memory of 3812	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	107
PID 4312 wrote to memory of 3812	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	107
PID 4312 wrote to memory of 4128	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	108
PID 4312 wrote to memory of 4128	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	108
PID 4312 wrote to memory of 4128	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	108
PID 4312 wrote to memory of 4276	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	109
PID 4312 wrote to memory of 4276	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	109
PID 4312 wrote to memory of 3468	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	110
PID 4312 wrote to memory of 3468	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	110
PID 4312 wrote to memory of 3468	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	110
PID 4312 wrote to memory of 2508	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	111
PID 4312 wrote to memory of 2508	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	111
PID 4312 wrote to memory of 1856	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	112
PID 4312 wrote to memory of 1856	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	112
PID 4312 wrote to memory of 1856	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	112
PID 4312 wrote to memory of 2628	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	113
PID 4312 wrote to memory of 2628	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	113
PID 4312 wrote to memory of 3376	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	114
PID 4312 wrote to memory of 3376	4312	f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe	114

C:\Users\Admin\AppData\Local\Temp\f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe
"C:\Users\Admin\AppData\Local\Temp\f03ad0794f8ef74cd16b1c8227e5bf48c59f8d24131fe7e5753d1ff5224ad17e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4228
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2260
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4416
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4064
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:376
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4500
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4672
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4748
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4316
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4068
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4792
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe
  "C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2492

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x528 0x494
1⤵
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\squaring.exe

Filesize
139KB

MD5
fda656c75b581d0dce6537d159052bcd

SHA1
a06523896f54e51a1a7269356634cc0bbb069edd

SHA256
4ce66c1b06bab37a85a93c5e7d7c9ba6f79da608fab33a00c44b8b0a9443309d

SHA512
8e7928c0e0439da880b7f2b036aa4f89cabb365bfe83c17184336580101c96d3b1f2c2ddc254a99a73d7cd0e203c40a1b22f68ad803070d2537c82fb95718106

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm975F.tmp\testamentary.exe

Filesize
189KB

MD5
9101a7f1e09281d413ece6d825020d92

SHA1
9df34287601a77e65cec58843474108dd0309f54

SHA256
781c6b118a97dd0301788d1882b18242d2768ad40752cb622f70e80d7e3a0a88

SHA512
8f3e5068f47817593ddd3eeb48848a1a49ffbb62fbc935c3d90757625ab3aec2e19f34d45b583dbe39dbd5cad11e00e0eb888dda6ffa9952b0851d0ada616425

Download Submit