beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba

Analysis

max time kernel
188s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
Size

8KB
MD5

488aa9dec48741ab565dd7bbc1fac780
SHA1

01278d361fde94cf08555bc874ee68c619a8608f
SHA256

beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba
SHA512

d8f94f9e956913bbad6dc74e58446e5a528c9d7723b29fc8261f2cb34dc4448255eae67a34366f185b401b5122d0683fb72146ab8021a010c0547f42b1b09c0e
SSDEEP

48:OEPLut1cj50HfvmC5rG12HuYVMNkAkvCAMud9+PGIAByhBefV+MfHH:nPatqmHdKAHR0dkaKkpAcBSAMfn

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\SysWOW64\msfeedssync.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\cacls.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\PkgMgr.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\tracerpt.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\dxdiag.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\ipconfig.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\dpapimig.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\ocsetup.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\schtasks.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\sfc.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\wusa.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\eventvwr.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\fc.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\hdwwiz.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\NETSTAT.EXE	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\AtBroker.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\schtasks.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\secinit.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\charmap.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\newdev.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\DeviceProperties.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\PATHPING.EXE	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\unregmp2.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\fltMC.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\dfrgui.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\setupugc.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\Netplwiz.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\logagent.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\mtstocom.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\takeown.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\sdiagnhost.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\taskmgr.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\msiexec.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\mspaint.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\taskmgr.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\userinit.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\runas.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\ARP.EXE	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\timeout.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\user.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\ipconfig.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\TRACERT.EXE	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\unlodctr.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\mountvol.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\resmon.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\sdchange.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\xpsrchvw.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\perfmon.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\RegisterIEPKEYs.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\regedit.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\expand.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\gpresult.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\MigAutoPlay.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\sethc.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\winver.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\RmClient.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\SysWOW64\tcmsetup.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\colorcpl.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\fontview.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\reg.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\secinit.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\SndVol.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	\??\c:\Windows\SysWOW64\srdelayed.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..utermanagerlauncher_31bf3856ad364e35_6.1.7600.16385_none_ea0a643b0e032c19\CompMgmtLauncher.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-regini_31bf3856ad364e35_6.1.7600.16385_none_684b2e15d381ea25\regini.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-write_31bf3856ad364e35_6.1.7600.16385_none_bb77c3d6f6c8e3f6\write.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-dfsvc_b03f5f7f11d50a3a_6.1.7600.16385_none_96dbb959ba7c7a79\dfsvc.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24_ndadmin.exe_8e57269f	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_cb604f1aa758e6b6\IMJPDSVR.EXE	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-eudcedit_31bf3856ad364e35_6.1.7601.17514_none_b7be8a14d61db17a\eudcedit.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_fa8534ab236134c4\mfpmp.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.1.7600.16385_none_87a28b30f517e40e\printfilterpipelinesvc.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\query.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-inkwatson_31bf3856ad364e35_6.1.7600.16385_none_644c1a991aac9ffb\InkWatson.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-ielowutil_31bf3856ad364e35_8.0.7600.16385_none_7d25450501edb94f\ielowutil.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\ehome\ehexthost.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-certutil_31bf3856ad364e35_6.1.7600.16385_none_1179f9944d0d9973\certutil.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_a018e05d0d33081d\dllhst3g.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-directshow-dvdplay_31bf3856ad364e35_6.1.7600.16385_none_5da314d233bb2676\dvdplay.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehshell_31bf3856ad364e35_6.1.7600.16385_none_95955bd51390781b\ehshell.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_0b11635f6f2987f7\ftp.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_8.0.7601.17514_none_1196a9003b674a92\iexplore.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.2.9600.16428_none_11b913172f0cb26f\ieUnatt.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-iis-adminservice_31bf3856ad364e35_6.1.7600.16385_none_b65cdbcf116dd7c5\WMSvc.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..cationnotifications_31bf3856ad364e35_6.1.7600.16385_none_737951ab23cf8ea0\LocationNotifications.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-securestartup-tool-exe_31bf3856ad364e35_6.1.7601.17514_none_5840c326cdf5dca9\manage-bde.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-setup-component_31bf3856ad364e35_6.1.7601.17514_none_905283bdc3e1d2d8\windeploy.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\psxss.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchIndexer.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647\appidpolicyconverter.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-management-console_31bf3856ad364e35_6.1.7600.16385_none_6b683cb78f534561\mmc.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\print.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-synchost_31bf3856ad364e35_6.1.7600.16385_none_c575fec016436d8a\SyncHost.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tapicore_31bf3856ad364e35_6.1.7600.16385_none_402eca316047a0fe\dialer.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_6.1.7600.16385_none_975df0a6f5a54628\gpupdate.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-pnputil_31bf3856ad364e35_6.1.7600.16385_none_5958b438d6388d15\PnPutil.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-security-tools-ksetup_31bf3856ad364e35_6.1.7600.16385_none_7861b83567d966e6\ksetup.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_wcf-wsatconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_d7ce65f32404434b\WsatConfig.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-where_31bf3856ad364e35_6.1.7600.16385_none_b9c82ac6f7db99ae\where.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647\appidcertstorecheck.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..plus-setup-migregdb_31bf3856ad364e35_6.1.7600.16385_none_8945930a7d61b9f0\MigRegDB.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-directx-directplay8_31bf3856ad364e35_6.1.7601.17514_none_d6fc8d83d55eb77c\dpnsvr.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7601.17514_none_ce2d22115368db7a\WerFaultSecure.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_8.0.7600.16385_none_d009281f9a108e04\mshta.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mountvol_31bf3856ad364e35_6.1.7600.16385_none_0e4e6b146b2452a9\mountvol.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-safedocs-main_31bf3856ad364e35_6.1.7601.17514_none_832fc1bb7d681e0d\sdclt.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-recdisc-main_31bf3856ad364e35_6.1.7601.17514_none_e2a1ffe0ca40cff2_recdisc.exe_20690b49	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.1.7600.16385_none_7351a917d91c961e\expand.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.1.7600.16385_none_901eda10f3ab38d2\McrMgr.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-wtvconverter_31bf3856ad364e35_6.1.7600.16385_none_a8464accb5a91f59\WTVConverter.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-es-authentication_31bf3856ad364e35_6.1.7600.16385_none_9db1ae483049e160\EhStorAuthn.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_6.1.7600.16385_none_a044d905576812d4\odbcad32.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..otservicing-utility_31bf3856ad364e35_6.1.7600.16385_none_d139a2cea567ce3f\fveupdate.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-security-spp_31bf3856ad364e35_6.1.7601.17514_none_78875ce737927d27_sppsvc.exe_fc6922a9	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\ehome\mcspad.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-atbroker_31bf3856ad364e35_6.1.7600.16385_none_2b95a17838063e9b\AtBroker.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_cb604f1aa758e6b6\IMJPMGR.EXE	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-iis-managementconsole_31bf3856ad364e35_6.1.7600.16385_none_e3c88f07d4c88269\InetMgr.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-rpc-locator_31bf3856ad364e35_6.1.7600.16385_none_2b2984d40648fbe7\Locator.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_6.1.7601.17514_none_326571587836a400\wsqmcons.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-oobe-machine_31bf3856ad364e35_6.1.7601.17514_none_6ba44fa419d13382\msoobe.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_6.1.7601.17514_none_7d0125c85cc31d2a\rdpinit.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.1.7600.16385_none_7351a917d91c961e_expand.exe_f43b24c8	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ac-sql-cliconfg-exe_31bf3856ad364e35_6.1.7600.16385_none_cc12387f7062eb3b\cliconfg.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\WinMail.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_6.1.7600.16385_none_c50af05b1be3aa2b\powershell.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..line-user-interface_31bf3856ad364e35_6.1.7600.16385_none_38dc646bf68909f4\cmdkey.exe	beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe

C:\Users\Admin\AppData\Local\Temp\beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe
"C:\Users\Admin\AppData\Local\Temp\beb59077d3a79684a6c787b1495f9c273d8c52b2952f9d298e560e7ba62127ba.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1868

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads