3a2f3c54be02bac607a869fa05c51d52331b1676beb3a59f0968822b8bef2fe3

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8a8ddee5e576520c19eb6fe4974a2e56.exe
Size

96KB
MD5

8a8ddee5e576520c19eb6fe4974a2e56
SHA1

491adcbfbd0f25b194e8be6dee575f3bdf8b16e4
SHA256

3a2f3c54be02bac607a869fa05c51d52331b1676beb3a59f0968822b8bef2fe3
SHA512

7f2e53be2659e15c440938f371eba8326e1477755747cb26f1c69f9eb45cbdfbed2379a2a2bbb03f3fa886f5daddd89c12098772e49809e9c110a4306c5fc3e9
SSDEEP

1536:34hBHmf6cOahdkGulSc16l6u+NMMl/KlYv1T4hThF/NIjnZbf:Cgh6lu88FF/Cnxf

Score

10^/10

defense_evasion discovery persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	JaffaCakes118_8a8ddee5e576520c19eb6fe4974a2e56.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	beaatu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8a8ddee5e576520c19eb6fe4974a2e56.exe

Executes dropped EXE 64 IoCs

pid	Process
4960	beaatu.exe
2996	beaatu.exe
5220	beaatu.exe
1296	beaatu.exe
3596	beaatu.exe
2764	beaatu.exe
1724	beaatu.exe
2088	beaatu.exe
4908	beaatu.exe
2392	beaatu.exe
3024	beaatu.exe
5228	beaatu.exe
3628	beaatu.exe
2688	beaatu.exe
384	beaatu.exe
5996	beaatu.exe
3776	beaatu.exe
1220	beaatu.exe
4512	beaatu.exe
5856	beaatu.exe
4528	beaatu.exe
4740	beaatu.exe
3896	beaatu.exe
1568	beaatu.exe
4888	beaatu.exe
5292	beaatu.exe
4020	beaatu.exe
5140	beaatu.exe
3492	beaatu.exe
2936	beaatu.exe
1084	beaatu.exe
5644	beaatu.exe
5216	beaatu.exe
1600	beaatu.exe
1140	beaatu.exe
3976	beaatu.exe
4084	beaatu.exe
2480	beaatu.exe
1380	beaatu.exe
2116	beaatu.exe
1476	beaatu.exe
4416	beaatu.exe
5844	beaatu.exe
4744	beaatu.exe
1144	beaatu.exe
1756	beaatu.exe
2044	beaatu.exe
3324	beaatu.exe
1100	beaatu.exe
3336	beaatu.exe
4924	beaatu.exe
4208	beaatu.exe
4372	beaatu.exe
4368	beaatu.exe
4696	beaatu.exe
4056	beaatu.exe
5956	beaatu.exe
3644	beaatu.exe
1780	beaatu.exe
4508	beaatu.exe
1860	beaatu.exe
1992	beaatu.exe
4760	beaatu.exe
5980	beaatu.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /P"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /Y"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /y"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /K"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /e"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /d"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /s"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /r"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /k"	JaffaCakes118_8a8ddee5e576520c19eb6fe4974a2e56.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /g"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /b"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /J"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /O"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /m"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /w"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /i"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /R"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /W"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /q"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /H"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /v"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /N"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /c"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /a"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /u"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /F"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /S"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /M"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /j"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /B"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /I"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /x"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /t"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /T"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /z"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /U"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /Q"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /l"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /k"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /f"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /X"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /E"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /Z"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /o"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /D"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /h"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /n"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /C"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /G"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /p"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /A"	beaatu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beaatu = "C:\\Users\\Admin\\beaatu.exe /L"	beaatu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beaatu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	JaffaCakes118_8a8ddee5e576520c19eb6fe4974a2e56.exe
2196	JaffaCakes118_8a8ddee5e576520c19eb6fe4974a2e56.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe
4960	beaatu.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2196	JaffaCakes118_8a8ddee5e576520c19eb6fe4974a2e56.exe
4960	beaatu.exe
2996	beaatu.exe
5220	beaatu.exe
1296	beaatu.exe
3596	beaatu.exe
2764	beaatu.exe
1724	beaatu.exe
2088	beaatu.exe
4908	beaatu.exe
2392	beaatu.exe
3024	beaatu.exe
5228	beaatu.exe
3628	beaatu.exe
2688	beaatu.exe
384	beaatu.exe
5996	beaatu.exe
3776	beaatu.exe
1220	beaatu.exe
4512	beaatu.exe
5856	beaatu.exe
4528	beaatu.exe
4740	beaatu.exe
3896	beaatu.exe
1568	beaatu.exe
4888	beaatu.exe
5292	beaatu.exe
4020	beaatu.exe
5140	beaatu.exe
3492	beaatu.exe
2936	beaatu.exe
1084	beaatu.exe
5644	beaatu.exe
5216	beaatu.exe
1600	beaatu.exe
1140	beaatu.exe
3976	beaatu.exe
4084	beaatu.exe
2480	beaatu.exe
1380	beaatu.exe
2116	beaatu.exe
1476	beaatu.exe
4416	beaatu.exe
5844	beaatu.exe
4744	beaatu.exe
1144	beaatu.exe
1756	beaatu.exe
2044	beaatu.exe
3324	beaatu.exe
1100	beaatu.exe
3336	beaatu.exe
4924	beaatu.exe
4208	beaatu.exe
4372	beaatu.exe
4368	beaatu.exe
4696	beaatu.exe
4056	beaatu.exe
5956	beaatu.exe
3644	beaatu.exe
1780	beaatu.exe
4508	beaatu.exe
1860	beaatu.exe
1992	beaatu.exe
4760	beaatu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 4960	2196	JaffaCakes118_8a8ddee5e576520c19eb6fe4974a2e56.exe	95
PID 2196 wrote to memory of 4960	2196	JaffaCakes118_8a8ddee5e576520c19eb6fe4974a2e56.exe	95
PID 2196 wrote to memory of 4960	2196	JaffaCakes118_8a8ddee5e576520c19eb6fe4974a2e56.exe	95
PID 2792 wrote to memory of 2996	2792	cmd.exe	98
PID 2792 wrote to memory of 2996	2792	cmd.exe	98
PID 2792 wrote to memory of 2996	2792	cmd.exe	98
PID 3856 wrote to memory of 5220	3856	cmd.exe	101
PID 3856 wrote to memory of 5220	3856	cmd.exe	101
PID 3856 wrote to memory of 5220	3856	cmd.exe	101
PID 440 wrote to memory of 1296	440	cmd.exe	105
PID 440 wrote to memory of 1296	440	cmd.exe	105
PID 440 wrote to memory of 1296	440	cmd.exe	105
PID 2788 wrote to memory of 3596	2788	cmd.exe	108
PID 2788 wrote to memory of 3596	2788	cmd.exe	108
PID 2788 wrote to memory of 3596	2788	cmd.exe	108
PID 4244 wrote to memory of 2764	4244	cmd.exe	111
PID 4244 wrote to memory of 2764	4244	cmd.exe	111
PID 4244 wrote to memory of 2764	4244	cmd.exe	111
PID 3680 wrote to memory of 1724	3680	cmd.exe	114
PID 3680 wrote to memory of 1724	3680	cmd.exe	114
PID 3680 wrote to memory of 1724	3680	cmd.exe	114
PID 6016 wrote to memory of 2088	6016	cmd.exe	118
PID 6016 wrote to memory of 2088	6016	cmd.exe	118
PID 6016 wrote to memory of 2088	6016	cmd.exe	118
PID 5644 wrote to memory of 4908	5644	cmd.exe	122
PID 5644 wrote to memory of 4908	5644	cmd.exe	122
PID 5644 wrote to memory of 4908	5644	cmd.exe	122
PID 616 wrote to memory of 2392	616	cmd.exe	125
PID 616 wrote to memory of 2392	616	cmd.exe	125
PID 616 wrote to memory of 2392	616	cmd.exe	125
PID 2724 wrote to memory of 3024	2724	cmd.exe	128
PID 2724 wrote to memory of 3024	2724	cmd.exe	128
PID 2724 wrote to memory of 3024	2724	cmd.exe	128
PID 388 wrote to memory of 5228	388	cmd.exe	131
PID 388 wrote to memory of 5228	388	cmd.exe	131
PID 388 wrote to memory of 5228	388	cmd.exe	131
PID 3656 wrote to memory of 3628	3656	cmd.exe	134
PID 3656 wrote to memory of 3628	3656	cmd.exe	134
PID 3656 wrote to memory of 3628	3656	cmd.exe	134
PID 4208 wrote to memory of 2688	4208	cmd.exe	137
PID 4208 wrote to memory of 2688	4208	cmd.exe	137
PID 4208 wrote to memory of 2688	4208	cmd.exe	137
PID 1620 wrote to memory of 384	1620	cmd.exe	140
PID 1620 wrote to memory of 384	1620	cmd.exe	140
PID 1620 wrote to memory of 384	1620	cmd.exe	140
PID 3464 wrote to memory of 5996	3464	cmd.exe	143
PID 3464 wrote to memory of 5996	3464	cmd.exe	143
PID 3464 wrote to memory of 5996	3464	cmd.exe	143
PID 2280 wrote to memory of 3776	2280	cmd.exe	146
PID 2280 wrote to memory of 3776	2280	cmd.exe	146
PID 2280 wrote to memory of 3776	2280	cmd.exe	146
PID 3496 wrote to memory of 1220	3496	cmd.exe	149
PID 3496 wrote to memory of 1220	3496	cmd.exe	149
PID 3496 wrote to memory of 1220	3496	cmd.exe	149
PID 4456 wrote to memory of 4512	4456	cmd.exe	152
PID 4456 wrote to memory of 4512	4456	cmd.exe	152
PID 4456 wrote to memory of 4512	4456	cmd.exe	152
PID 4832 wrote to memory of 5856	4832	cmd.exe	155
PID 4832 wrote to memory of 5856	4832	cmd.exe	155
PID 4832 wrote to memory of 5856	4832	cmd.exe	155
PID 1008 wrote to memory of 4528	1008	cmd.exe	158
PID 1008 wrote to memory of 4528	1008	cmd.exe	158
PID 1008 wrote to memory of 4528	1008	cmd.exe	158
PID 4856 wrote to memory of 4740	4856	cmd.exe	161

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a8ddee5e576520c19eb6fe4974a2e56.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a8ddee5e576520c19eb6fe4974a2e56.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\beaatu.exe
  "C:\Users\Admin\beaatu.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /k
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /k
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /l
1⤵
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /l
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /w
1⤵
- Suspicious use of WriteProcessMemory
PID:440
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /w
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /g
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /g
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /b
1⤵
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /b
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /i
1⤵
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /i
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /B
1⤵
- Suspicious use of WriteProcessMemory
PID:6016
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /B
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /N
1⤵
- Suspicious use of WriteProcessMemory
PID:5644
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /N
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /h
1⤵
- Suspicious use of WriteProcessMemory
PID:616
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /h
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /n
1⤵
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /n
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /I
1⤵
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /I
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /k
1⤵
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /k
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /c
1⤵
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /c
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /R
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /R
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /a
1⤵
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /a
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /C
1⤵
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /C
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /u
1⤵
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /u
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /n
1⤵
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /n
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /u
1⤵
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /u
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /w
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /w
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /F
1⤵
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /F
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /x
1⤵
PID:4948
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /x
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /W
1⤵
PID:2992
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /W
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /S
1⤵
PID:2468
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /S
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /f
1⤵
PID:1992
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /f
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /k
1⤵
PID:5012
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /k
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /M
1⤵
PID:3572
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /M
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /g
1⤵
PID:3132
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /g
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /K
1⤵
PID:1724
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /K
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /g
1⤵
PID:5732
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /g
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /Y
1⤵
PID:5112
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /Y
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /y
1⤵
PID:5892
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /y
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /X
1⤵
PID:5596
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /X
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /w
1⤵
PID:5288
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /w
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /t
1⤵
PID:4800
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /t
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /e
1⤵
PID:6140
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /e
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /w
1⤵
PID:2476
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /w
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /G
1⤵
PID:3740
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /G
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /n
1⤵
PID:5688
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /n
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /d
1⤵
PID:6124
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /d
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /H
1⤵
PID:4648
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /H
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /J
1⤵
PID:3052
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /J
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /p
1⤵
PID:2412
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /p
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /I
1⤵
PID:5160
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /I
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /s
1⤵
PID:3992
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /j
1⤵
PID:1772
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /j
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /e
1⤵
PID:1724
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /e
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /H
1⤵
PID:1112
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /H
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /a
1⤵
PID:632
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /a
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /w
1⤵
PID:3344
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /w
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /i
1⤵
PID:1336
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /i
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /T
1⤵
PID:2780
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /T
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /z
1⤵
PID:4328
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /z
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /a
1⤵
PID:2140
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /a
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /W
1⤵
PID:3868
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /W
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /c
1⤵
PID:5256
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /c
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /E
1⤵
PID:4648
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /E
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /R
1⤵
PID:5420
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /R
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /h
1⤵
PID:3176
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /h
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /Z
1⤵
PID:5404
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /Z
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /u
1⤵
PID:440
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /u
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /f
1⤵
PID:2940
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /f
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /W
1⤵
PID:6004
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /W
  2⤵
  - Executes dropped EXE
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /v
1⤵
PID:4904
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /v
  2⤵
  PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /T
1⤵
PID:1772
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /T
  2⤵
  PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /N
1⤵
PID:5472
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /N
  2⤵
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /p
1⤵
PID:3324
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /p
  2⤵
  PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /G
1⤵
PID:5436
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /G
  2⤵
  PID:728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /U
1⤵
PID:5196
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /U
  2⤵
  PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /v
1⤵
PID:1112
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /v
  2⤵
  PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /x
1⤵
PID:5548
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /x
  2⤵
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /o
1⤵
PID:3056
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /o
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /S
1⤵
PID:1188
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /S
  2⤵
  PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /O
1⤵
PID:3344
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /O
  2⤵
  PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /m
1⤵
PID:2400
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /m
  2⤵
  PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /Q
1⤵
PID:5996
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /Q
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /b
1⤵
PID:4368
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /b
  2⤵
  PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /E
1⤵
PID:3496
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /E
  2⤵
  PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /o
1⤵
PID:2288
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /o
  2⤵
  PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /K
1⤵
PID:5908
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /K
  2⤵
  PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /K
1⤵
PID:660
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /K
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /r
1⤵
PID:4688
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /r
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /h
1⤵
PID:5796
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /h
  2⤵
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /z
1⤵
PID:4508
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /z
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /M
1⤵
PID:5544
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /M
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /T
1⤵
PID:3096
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /T
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /K
1⤵
PID:1628
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /K
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /y
1⤵
PID:2172
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /Q
1⤵
PID:4904
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /Q
  2⤵
  PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /K
1⤵
PID:3368
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /K
  2⤵
  PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /T
1⤵
PID:820
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /T
  2⤵
  PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /w
1⤵
PID:1808
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /w
  2⤵
  PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /i
1⤵
PID:4484
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /i
  2⤵
  PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /D
1⤵
PID:1100
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /D
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /q
1⤵
PID:5892
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /q
  2⤵
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /T
1⤵
PID:2672
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /T
  2⤵
  PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /O
1⤵
PID:4792
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /O
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /Z
1⤵
PID:5828
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /Z
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /e
1⤵
PID:3928
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /e
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /b
1⤵
PID:2128
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /b
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /r
1⤵
PID:4928
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /r
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /D
1⤵
PID:4440
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /D
  2⤵
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /E
1⤵
PID:4632
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /E
  2⤵
  PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /m
1⤵
PID:5944
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /m
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /f
1⤵
PID:4748
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /f
  2⤵
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /W
1⤵
PID:1260
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /W
  2⤵
  PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /J
1⤵
PID:4988
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /J
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /C
1⤵
PID:3804
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /C
  2⤵
  PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /Z
1⤵
PID:5888
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /Z
  2⤵
  PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /B
1⤵
PID:2096
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /B
  2⤵
  PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /K
1⤵
PID:2940
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /K
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /U
1⤵
PID:4480
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /U
  2⤵
  PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /A
1⤵
PID:1116
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /A
  2⤵
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /S
1⤵
PID:4540
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /S
  2⤵
  PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /a
1⤵
PID:5336
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /a
  2⤵
  PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /s
1⤵
PID:4244
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /s
  2⤵
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /H
1⤵
PID:5016
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /H
  2⤵
  PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /x
1⤵
PID:5776
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /x
  2⤵
  PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /b
1⤵
PID:4092
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /b
  2⤵
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /U
1⤵
PID:4296
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /U
  2⤵
  PID:788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /b
1⤵
PID:5228
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /b
  2⤵
  PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /D
1⤵
PID:2916
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /D
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /y
1⤵
PID:3656
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /T
1⤵
PID:4356
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /T
  2⤵
  PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /D
1⤵
PID:5960
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /D
  2⤵
  PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /J
1⤵
PID:2116
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /J
  2⤵
  PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /D
1⤵
PID:4448
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /D
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /f
1⤵
PID:4572
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /f
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /e
1⤵
PID:3068
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /e
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /b
1⤵
PID:1476
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /b
  2⤵
  - System Location Discovery: System Language Discovery
  PID:444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /I
1⤵
PID:5252
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /I
  2⤵
  PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /Q
1⤵
PID:1520
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /Q
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /v
1⤵
PID:5040
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /v
  2⤵
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /d
1⤵
PID:1900
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /d
  2⤵
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /J
1⤵
PID:5456
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /J
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /b
1⤵
PID:1260
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /b
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /u
1⤵
PID:2028
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /u
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /b
1⤵
PID:1816
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /b
  2⤵
  PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /D
1⤵
PID:4692
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /D
  2⤵
  PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /t
1⤵
PID:1992
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /t
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /j
1⤵
PID:4772
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /j
  2⤵
  PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /R
1⤵
PID:5980
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /R
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /u
1⤵
PID:2764
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /u
  2⤵
  - System Location Discovery: System Language Discovery
  PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /e
1⤵
PID:580
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /e
  2⤵
  PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /f
1⤵
PID:2576
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /A
1⤵
PID:1000
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /Q
1⤵
PID:3432
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /Q
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /C
1⤵
PID:2956
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /C
  2⤵
  PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /x
1⤵
PID:1928
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /X
1⤵
PID:1960
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /X
  2⤵
  PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /F
1⤵
PID:5184
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /F
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /g
1⤵
PID:5232
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /g
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /k
1⤵
PID:4924
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /k
  2⤵
  PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /I
1⤵
PID:536
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /I
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /n
1⤵
PID:216
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /n
  2⤵
  PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /a
1⤵
PID:2116
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /a
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /k
1⤵
PID:1572
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /k
  2⤵
  PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /y
1⤵
PID:4572
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /D
1⤵
PID:5080
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /D
  2⤵
  PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /H
1⤵
PID:2376
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /H
  2⤵
  PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /L
1⤵
PID:5252
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /L
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /L
1⤵
PID:4012
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /L
  2⤵
  PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /Z
1⤵
PID:4676
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /Z
  2⤵
  PID:660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /U
1⤵
PID:3968
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /U
  2⤵
  PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /s
1⤵
PID:1848
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /f
1⤵
PID:3084
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /A
1⤵
PID:2216
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /A
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /O
1⤵
PID:2412
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /O
  2⤵
  PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /s
1⤵
PID:4008
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /s
  2⤵
  PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /J
1⤵
PID:440
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /J
  2⤵
  PID:680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /p
1⤵
PID:4948
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /p
  2⤵
  PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /Y
1⤵
PID:2148
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /Y
  2⤵
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /k
1⤵
PID:1040
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /k
  2⤵
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /H
1⤵
PID:4436
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /H
  2⤵
  PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /c
1⤵
PID:6104
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /c
  2⤵
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /G
1⤵
PID:2788
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /G
  2⤵
  PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /r
1⤵
PID:3368
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /r
  2⤵
  PID:728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /u
1⤵
PID:2540
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /u
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /Z
1⤵
PID:4484
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /Z
  2⤵
  PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /d
1⤵
PID:5068
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /d
  2⤵
  PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /s
1⤵
PID:632
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /s
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /S
1⤵
PID:6080
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /S
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /z
1⤵
PID:3328
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /z
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /F
1⤵
PID:4084
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /F
  2⤵
  PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /J
1⤵
PID:5512
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /J
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /F
1⤵
PID:2992
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /F
  2⤵
  PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /d
1⤵
PID:2780
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /d
  2⤵
  PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /W
1⤵
PID:5636
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /W
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /r
1⤵
PID:4448
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /r
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /D
1⤵
PID:2012
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /D
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /Y
1⤵
PID:3068
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /Y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /A
1⤵
PID:5500
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /A
  2⤵
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /H
1⤵
PID:5564
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /H
  2⤵
  PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /u
1⤵
PID:3428
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /u
  2⤵
  PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /o
1⤵
PID:4740
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /o
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /U
1⤵
PID:5992
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /U
  2⤵
  PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /u
1⤵
PID:4400
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /u
  2⤵
  - System Location Discovery: System Language Discovery
  PID:900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /j
1⤵
PID:5624
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /j
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /k
1⤵
PID:4776
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /k
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /Y
1⤵
PID:6004
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /Y
  2⤵
  PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /P
1⤵
PID:5416
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /P
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /K
1⤵
PID:3096
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /K
  2⤵
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /a
1⤵
PID:5980
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /a
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /d
1⤵
PID:540
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /d
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /t
1⤵
PID:2164
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /t
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /H
1⤵
PID:3516
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /H
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /v
1⤵
PID:864
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /j
1⤵
PID:4332
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /j
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /y
1⤵
PID:2604
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /y
  2⤵
  PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /x
1⤵
PID:2616
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /O
1⤵
PID:5596
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /O
  2⤵
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /z
1⤵
PID:3056
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /z
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /R
1⤵
PID:5792
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /R
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /f
1⤵
PID:4124
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /j
1⤵
PID:5388
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /j
  2⤵
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\beaatu.exe /Z
1⤵
PID:6072
- C:\Users\Admin\beaatu.exe
  C:\Users\Admin\beaatu.exe /Z
  2⤵
  PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\beaatu.exe

Filesize
96KB

MD5
1ddf6d7e6ca6ea514df07001112be4ca

SHA1
de05d59c916f20496ab990ac308cc20cc77340e6

SHA256
87c61dcd13cadd7878e9e8de2fc044c57cf0c45195b3616d1c1acaa3092c8be6

SHA512
58203597aa5eb5c91dad3eed3f07e6dd96cf7a220f622ac2261513a956b617f2db8ee0e972b47d4dc1ff2a58100cb4474e3a2d25c57bf0ccaeba0f656dff2183

Download Submit