cycbot | 1b9227ed19b251e129378e26e69ec4426ef826e10ac3a7ca29cfbdd4e993e5c8

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe
Size

484KB
MD5

a12a8f0a0d9d98503d1625b14bfc387d
SHA1

093dd9c23451b42fdc2fef447ff38c32e0d38c98
SHA256

1b9227ed19b251e129378e26e69ec4426ef826e10ac3a7ca29cfbdd4e993e5c8
SHA512

5b409161682924db3a8106a90fe88797b443f57f7bc0d073501f928017b28bc567ae3b42625bd206bab8eb1ce94dcd0f6e34746584d2f027c4e5397e976004c9
SSDEEP

12288:sP9GBWQch+L/ZgHP+v7xK0DmFwUfIp7JVyvWt1aBnSFAPHzeO:sPoBHch+uudKNffiv1aVSaPTeO

Score

10^/10

cycbot backdoor defense_evasion discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/752-91-0x0000000000400000-0x0000000000448000-memory.dmp	family_cycbot
behavioral1/memory/3640-200-0x0000000000400000-0x0000000000448000-memory.dmp	family_cycbot
behavioral1/memory/1340-235-0x0000000000400000-0x0000000000448000-memory.dmp	family_cycbot
behavioral1/memory/3640-258-0x0000000000400000-0x0000000000448000-memory.dmp	family_cycbot
behavioral1/memory/3640-514-0x0000000000400000-0x0000000000448000-memory.dmp	family_cycbot

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bueovux.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	V6oUpCF0mC.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	V6oUpCF0mC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe

Executes dropped EXE 64 IoCs

pid	Process
4472	V6oUpCF0mC.exe
3844	bueovux.exe
1184	bueovux.exe
1404	ayhost.exe
3004	ayhost.exe
3104	byhost.exe
540	byhost.exe
4216	bueovux.exe
3640	cyhost.exe
4916	bueovux.exe
752	cyhost.exe
408	bueovux.exe
5092	bueovux.exe
4932	bueovux.exe
5124	bueovux.exe
4444	bueovux.exe
3620	bueovux.exe
3560	bueovux.exe
1948	bueovux.exe
3024	bueovux.exe
5608	bueovux.exe
5008	bueovux.exe
4460	bueovux.exe
2520	bueovux.exe
1960	bueovux.exe
2324	bueovux.exe
2660	bueovux.exe
3684	bueovux.exe
5836	bueovux.exe
2608	bueovux.exe
5208	bueovux.exe
1140	bueovux.exe
3524	bueovux.exe
4556	bueovux.exe
1340	cyhost.exe
5492	bueovux.exe
712	bueovux.exe
552	bueovux.exe
2916	bueovux.exe
3308	bueovux.exe
4456	bueovux.exe
4092	bueovux.exe
3764	bueovux.exe
3904	bueovux.exe
1420	bueovux.exe
2420	bueovux.exe
1388	bueovux.exe
3096	bueovux.exe
4868	bueovux.exe
4924	bueovux.exe
4668	bueovux.exe
2168	bueovux.exe
5604	bueovux.exe
1028	bueovux.exe
5008	bueovux.exe
5720	bueovux.exe
2520	bueovux.exe
1804	bueovux.exe
3328	dyhost.exe
1764	bueovux.exe
3852	bueovux.exe
2148	bueovux.exe
4304	bueovux.exe
3684	bueovux.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /B"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /P"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /H"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /K"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /O"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /G"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /g"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /h"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /x"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /n"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /C"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /b"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /v"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /w"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /A"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /L"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /Y"	bueovux.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Program Files (x86)\\Internet Explorer\\lvvm.exe"	cyhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /Q"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /k"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /r"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /u"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /d"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /m"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /i"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /V"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /I"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /S"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /X"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /U"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /R"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /z"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /M"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /f"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /y"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /D"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /N"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /e"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /F"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /J"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /c"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /s"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /W"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /T"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /o"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /j"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /p"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /X"	V6oUpCF0mC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /q"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /l"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /t"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /E"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /Z"	bueovux.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bueovux = "C:\\Users\\Admin\\bueovux.exe /a"	bueovux.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2188	tasklist.exe
4416	tasklist.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5184 set thread context of 1840	5184	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	89
PID 1404 set thread context of 3004	1404	ayhost.exe	111
PID 3104 set thread context of 540	3104	byhost.exe	114
PID 540 set thread context of 1388	540	byhost.exe	115

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1840-5-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/1840-4-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/1840-7-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/752-91-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/1840-103-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/3640-200-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/1340-235-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/3640-258-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/3640-514-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/1840-522-0x0000000000400000-0x00000000004BE000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\lvvm.exe	cyhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dyhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bueovux.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4472	V6oUpCF0mC.exe
4472	V6oUpCF0mC.exe
4472	V6oUpCF0mC.exe
4472	V6oUpCF0mC.exe
3004	ayhost.exe
3004	ayhost.exe
3844	bueovux.exe
3844	bueovux.exe
3844	bueovux.exe
3844	bueovux.exe
3844	bueovux.exe
3844	bueovux.exe
3004	ayhost.exe
3004	ayhost.exe
3844	bueovux.exe
3844	bueovux.exe
3844	bueovux.exe
3844	bueovux.exe
3844	bueovux.exe
3844	bueovux.exe
3844	bueovux.exe
3844	bueovux.exe
3004	ayhost.exe
3004	ayhost.exe
3004	ayhost.exe
3004	ayhost.exe
3004	ayhost.exe
3004	ayhost.exe
3844	bueovux.exe
3844	bueovux.exe
3844	bueovux.exe
3844	bueovux.exe
3844	bueovux.exe
3844	bueovux.exe
3004	ayhost.exe
3004	ayhost.exe
3844	bueovux.exe
3844	bueovux.exe
3004	ayhost.exe
3004	ayhost.exe
3844	bueovux.exe
3844	bueovux.exe
3004	ayhost.exe
3004	ayhost.exe
3844	bueovux.exe
3844	bueovux.exe
3844	bueovux.exe
3844	bueovux.exe
3004	ayhost.exe
3004	ayhost.exe
3844	bueovux.exe
3844	bueovux.exe
3004	ayhost.exe
3004	ayhost.exe
3844	bueovux.exe
3844	bueovux.exe
3004	ayhost.exe
3004	ayhost.exe
3004	ayhost.exe
3004	ayhost.exe
3004	ayhost.exe
3004	ayhost.exe
3844	bueovux.exe
3844	bueovux.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	tasklist.exe
Token: SeDebugPrivilege	4416	tasklist.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5184	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe
1840	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe
4472	V6oUpCF0mC.exe
3844	bueovux.exe
1184	bueovux.exe
1404	ayhost.exe
3104	byhost.exe
4216	bueovux.exe
4916	bueovux.exe
408	bueovux.exe
5092	bueovux.exe
4932	bueovux.exe
5124	bueovux.exe
4444	bueovux.exe
3620	bueovux.exe
3560	bueovux.exe
1948	bueovux.exe
3024	bueovux.exe
5608	bueovux.exe
5008	bueovux.exe
4460	bueovux.exe
2520	bueovux.exe
1960	bueovux.exe
2324	bueovux.exe
2660	bueovux.exe
3684	bueovux.exe
5836	bueovux.exe
2608	bueovux.exe
5208	bueovux.exe
1140	bueovux.exe
3524	bueovux.exe
4556	bueovux.exe
5492	bueovux.exe
712	bueovux.exe
552	bueovux.exe
2916	bueovux.exe
3308	bueovux.exe
4456	bueovux.exe
4092	bueovux.exe
3764	bueovux.exe
3904	bueovux.exe
1420	bueovux.exe
2420	bueovux.exe
1388	bueovux.exe
3096	bueovux.exe
4868	bueovux.exe
4924	bueovux.exe
4668	bueovux.exe
2168	bueovux.exe
5604	bueovux.exe
1028	bueovux.exe
5008	bueovux.exe
5720	bueovux.exe
2520	bueovux.exe
1804	bueovux.exe
3328	dyhost.exe
1764	bueovux.exe
3852	bueovux.exe
2148	bueovux.exe
4304	bueovux.exe
3684	bueovux.exe
1424	bueovux.exe
436	bueovux.exe
468	bueovux.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5184 wrote to memory of 1840	5184	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	89
PID 5184 wrote to memory of 1840	5184	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	89
PID 5184 wrote to memory of 1840	5184	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	89
PID 5184 wrote to memory of 1840	5184	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	89
PID 5184 wrote to memory of 1840	5184	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	89
PID 5184 wrote to memory of 1840	5184	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	89
PID 5184 wrote to memory of 1840	5184	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	89
PID 5184 wrote to memory of 1840	5184	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	89
PID 1840 wrote to memory of 4472	1840	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	93
PID 1840 wrote to memory of 4472	1840	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	93
PID 1840 wrote to memory of 4472	1840	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	93
PID 4472 wrote to memory of 3844	4472	V6oUpCF0mC.exe	103
PID 4472 wrote to memory of 3844	4472	V6oUpCF0mC.exe	103
PID 4472 wrote to memory of 3844	4472	V6oUpCF0mC.exe	103
PID 4472 wrote to memory of 3600	4472	V6oUpCF0mC.exe	106
PID 4472 wrote to memory of 3600	4472	V6oUpCF0mC.exe	106
PID 4472 wrote to memory of 3600	4472	V6oUpCF0mC.exe	106
PID 5532 wrote to memory of 1184	5532	cmd.exe	108
PID 5532 wrote to memory of 1184	5532	cmd.exe	108
PID 5532 wrote to memory of 1184	5532	cmd.exe	108
PID 3600 wrote to memory of 2188	3600	cmd.exe	109
PID 3600 wrote to memory of 2188	3600	cmd.exe	109
PID 3600 wrote to memory of 2188	3600	cmd.exe	109
PID 1840 wrote to memory of 1404	1840	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	110
PID 1840 wrote to memory of 1404	1840	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	110
PID 1840 wrote to memory of 1404	1840	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	110
PID 1404 wrote to memory of 3004	1404	ayhost.exe	111
PID 1404 wrote to memory of 3004	1404	ayhost.exe	111
PID 1404 wrote to memory of 3004	1404	ayhost.exe	111
PID 1404 wrote to memory of 3004	1404	ayhost.exe	111
PID 1404 wrote to memory of 3004	1404	ayhost.exe	111
PID 1404 wrote to memory of 3004	1404	ayhost.exe	111
PID 1404 wrote to memory of 3004	1404	ayhost.exe	111
PID 1404 wrote to memory of 3004	1404	ayhost.exe	111
PID 1404 wrote to memory of 3004	1404	ayhost.exe	111
PID 1404 wrote to memory of 3004	1404	ayhost.exe	111
PID 1840 wrote to memory of 3104	1840	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	113
PID 1840 wrote to memory of 3104	1840	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	113
PID 1840 wrote to memory of 3104	1840	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	113
PID 3104 wrote to memory of 540	3104	byhost.exe	114
PID 3104 wrote to memory of 540	3104	byhost.exe	114
PID 3104 wrote to memory of 540	3104	byhost.exe	114
PID 3104 wrote to memory of 540	3104	byhost.exe	114
PID 3104 wrote to memory of 540	3104	byhost.exe	114
PID 3104 wrote to memory of 540	3104	byhost.exe	114
PID 3104 wrote to memory of 540	3104	byhost.exe	114
PID 3104 wrote to memory of 540	3104	byhost.exe	114
PID 3104 wrote to memory of 540	3104	byhost.exe	114
PID 540 wrote to memory of 1388	540	byhost.exe	115
PID 540 wrote to memory of 1388	540	byhost.exe	115
PID 540 wrote to memory of 1388	540	byhost.exe	115
PID 5660 wrote to memory of 4216	5660	cmd.exe	121
PID 5660 wrote to memory of 4216	5660	cmd.exe	121
PID 5660 wrote to memory of 4216	5660	cmd.exe	121
PID 1840 wrote to memory of 3640	1840	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	124
PID 1840 wrote to memory of 3640	1840	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	124
PID 1840 wrote to memory of 3640	1840	JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe	124
PID 3260 wrote to memory of 4916	3260	cmd.exe	125
PID 3260 wrote to memory of 4916	3260	cmd.exe	125
PID 3260 wrote to memory of 4916	3260	cmd.exe	125
PID 3640 wrote to memory of 752	3640	cyhost.exe	128
PID 3640 wrote to memory of 752	3640	cyhost.exe	128
PID 3640 wrote to memory of 752	3640	cyhost.exe	128
PID 1144 wrote to memory of 408	1144	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5184
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Users\Admin\V6oUpCF0mC.exe
    C:\Users\Admin\V6oUpCF0mC.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Users\Admin\bueovux.exe
      "C:\Users\Admin\bueovux.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3844
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del V6oUpCF0mC.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3600
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
- - C:\Users\Admin\ayhost.exe
    C:\Users\Admin\ayhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Users\Admin\ayhost.exe
      "C:\Users\Admin\ayhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3004
- - C:\Users\Admin\byhost.exe
    C:\Users\Admin\byhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Users\Admin\byhost.exe
      "C:\Users\Admin\byhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Windows\explorer.exe
        
        000000D0*
        5⤵
        
        PID:1388
- - C:\Users\Admin\cyhost.exe
    C:\Users\Admin\cyhost.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Users\Admin\cyhost.exe
      C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming
      4⤵
      Executes dropped EXE
      PID:752
  - - C:\Users\Admin\cyhost.exe
      C:\Users\Admin\cyhost.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      PID:1340
- - C:\Users\Admin\dyhost.exe
    C:\Users\Admin\dyhost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_a12a8f0a0d9d98503d1625b14bfc387d.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6044
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /X
1⤵
- Suspicious use of WriteProcessMemory
PID:5532
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /X
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /q
1⤵
- Suspicious use of WriteProcessMemory
PID:5660
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /q
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /y
1⤵
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /y
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Internet Explorer\lvvm.exe
1⤵
PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /D
1⤵
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /D
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /N
1⤵
PID:5436
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /N
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /n
1⤵
PID:2736
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /n
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /l
1⤵
PID:5204
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /l
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /e
1⤵
PID:4560
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /e
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /P
1⤵
PID:4760
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /P
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /q
1⤵
PID:5128
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /q
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /V
1⤵
PID:1936
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /V
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /s
1⤵
PID:3308
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /H
1⤵
PID:1328
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /H
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /I
1⤵
PID:1864
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /I
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /K
1⤵
PID:5088
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /K
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /O
1⤵
PID:1540
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /O
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /G
1⤵
PID:4364
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /G
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /Q
1⤵
PID:2016
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /Q
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /k
1⤵
PID:3192
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /k
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /z
1⤵
PID:436
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /z
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /W
1⤵
PID:1260
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /W
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /F
1⤵
PID:4924
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /F
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /g
1⤵
PID:4392
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /g
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /s
1⤵
PID:1244
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /M
1⤵
PID:4968
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /M
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /C
1⤵
PID:5348
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /C
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /b
1⤵
PID:4188
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /b
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /F
1⤵
PID:6112
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /F
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /S
1⤵
PID:3692
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /S
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /M
1⤵
PID:5604
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /M
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /C
1⤵
PID:1028
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /C
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /l
1⤵
PID:1672
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /l
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /X
1⤵
PID:5912
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /X
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /N
1⤵
PID:4472
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /N
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /y
1⤵
PID:6088
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /y
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /g
1⤵
PID:452
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /g
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /X
1⤵
PID:2016
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /X
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /k
1⤵
PID:2144
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /k
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /q
1⤵
PID:5784
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /q
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /S
1⤵
PID:4144
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /S
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /O
1⤵
PID:3432
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /O
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /J
1⤵
PID:5124
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /J
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /c
1⤵
PID:2108
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /c
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /G
1⤵
PID:4040
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /G
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /W
1⤵
PID:5352
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /W
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /z
1⤵
PID:4456
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /z
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /C
1⤵
PID:5148
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /C
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /v
1⤵
PID:4368
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /v
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /G
1⤵
PID:1784
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /G
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /r
1⤵
PID:2624
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /r
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /s
1⤵
PID:5896
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /q
1⤵
PID:1708
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /q
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /K
1⤵
PID:4248
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /K
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /w
1⤵
PID:3464
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /w
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /k
1⤵
PID:3580
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /k
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /h
1⤵
PID:5776
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /h
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /H
1⤵
PID:6036
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /H
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /T
1⤵
PID:4588
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /T
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /A
1⤵
PID:2124
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /e
1⤵
PID:4768
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /e
  2⤵
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /V
1⤵
PID:5348
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /V
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /u
1⤵
PID:5492
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /u
  2⤵
  PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /t
1⤵
PID:4668
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /t
  2⤵
  PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /P
1⤵
PID:4788
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /P
  2⤵
  PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /c
1⤵
PID:1748
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /c
  2⤵
  PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /s
1⤵
PID:552
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /s
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /q
1⤵
PID:4040
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /q
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /M
1⤵
PID:1968
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /M
  2⤵
  PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /E
1⤵
PID:1716
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /E
  2⤵
  PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /T
1⤵
PID:3764
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /g
1⤵
PID:5088
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /g
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /T
1⤵
PID:1804
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /h
1⤵
PID:3112
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /h
  2⤵
  PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /Z
1⤵
PID:4644
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /Z
  2⤵
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /q
1⤵
PID:5276
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /q
  2⤵
  - System Location Discovery: System Language Discovery
  PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /L
1⤵
PID:5756
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /L
  2⤵
  PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /V
1⤵
PID:2308
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /V
  2⤵
  PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /d
1⤵
PID:396
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /d
  2⤵
  PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /m
1⤵
PID:436
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /m
  2⤵
  PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /V
1⤵
PID:468
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /V
  2⤵
  PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /b
1⤵
PID:3432
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /b
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /X
1⤵
PID:2176
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /X
  2⤵
  PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /U
1⤵
PID:4848
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /U
  2⤵
  PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /K
1⤵
PID:4692
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /K
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /o
1⤵
PID:3880
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /o
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /N
1⤵
PID:4476
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /N
  2⤵
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /Y
1⤵
PID:2276
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /Y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /E
1⤵
PID:4728
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /E
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /q
1⤵
PID:2916
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /q
  2⤵
  PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /S
1⤵
PID:864
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /S
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /N
1⤵
PID:4456
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /N
  2⤵
  PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /P
1⤵
PID:2272
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /P
  2⤵
  PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /z
1⤵
PID:4412
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /z
  2⤵
  PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /d
1⤵
PID:3448
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /d
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /r
1⤵
PID:3160
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /r
  2⤵
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /r
1⤵
PID:5960
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /r
  2⤵
  PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /a
1⤵
PID:5552
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /a
  2⤵
  PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /W
1⤵
PID:6072
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /W
  2⤵
  PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /y
1⤵
PID:5484
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /y
  2⤵
  PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /A
1⤵
PID:2900
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /A
  2⤵
  PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /A
1⤵
PID:2608
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /A
  2⤵
  PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /i
1⤵
PID:4012
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /i
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /s
1⤵
PID:5944
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /s
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /n
1⤵
PID:1188
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /n
  2⤵
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /F
1⤵
PID:4804
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /F
  2⤵
  PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /D
1⤵
PID:5204
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /D
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /U
1⤵
PID:3880
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /U
  2⤵
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /m
1⤵
PID:2496
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /m
  2⤵
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /D
1⤵
PID:2168
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /D
  2⤵
  PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /v
1⤵
PID:2364
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /v
  2⤵
  PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /d
1⤵
PID:1748
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /d
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /W
1⤵
PID:1028
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /W
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /Y
1⤵
PID:5352
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /Y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /O
1⤵
PID:6076
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /O
  2⤵
  PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /U
1⤵
PID:5428
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /U
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /m
1⤵
PID:2272
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /m
  2⤵
  PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /a
1⤵
PID:4396
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /a
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /j
1⤵
PID:4380
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /j
  2⤵
  PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /B
1⤵
PID:3672
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /B
  2⤵
  PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /O
1⤵
PID:4948
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /O
  2⤵
  PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /r
1⤵
PID:764
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /r
  2⤵
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /n
1⤵
PID:4284
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /n
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /d
1⤵
PID:5668
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /d
  2⤵
  PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /H
1⤵
PID:5836
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /H
  2⤵
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /Q
1⤵
PID:3236
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /Q
  2⤵
  PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /N
1⤵
PID:3116
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /N
  2⤵
  PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /Z
1⤵
PID:3452
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /Z
  2⤵
  PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /Q
1⤵
PID:3756
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /Q
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /R
1⤵
PID:3768
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /R
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /I
1⤵
PID:1340
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /I
  2⤵
  PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /O
1⤵
PID:3612
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /O
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /J
1⤵
PID:4652
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /J
  2⤵
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /m
1⤵
PID:5084
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /m
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /F
1⤵
PID:5844
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /F
  2⤵
  PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /g
1⤵
PID:4720
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /g
  2⤵
  PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /j
1⤵
PID:2672
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /j
  2⤵
  PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /G
1⤵
PID:3024
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /G
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /Q
1⤵
PID:3492
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /Q
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /A
1⤵
PID:5792
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /A
  2⤵
  PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /H
1⤵
PID:3652
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /H
  2⤵
  PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /J
1⤵
PID:4784
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /J
  2⤵
  PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /V
1⤵
PID:2696
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /V
  2⤵
  PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /M
1⤵
PID:5464
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /M
  2⤵
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /h
1⤵
PID:2444
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /h
  2⤵
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /z
1⤵
PID:5660
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /z
  2⤵
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /J
1⤵
PID:5504
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /J
  2⤵
  PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /T
1⤵
PID:5848
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /T
  2⤵
  PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /X
1⤵
PID:2844
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /X
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /h
1⤵
PID:3976
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /h
  2⤵
  PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /E
1⤵
PID:512
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /N
1⤵
PID:408
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /N
  2⤵
  PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /E
1⤵
PID:5988
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /E
  2⤵
  PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /W
1⤵
PID:4708
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /W
  2⤵
  PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /H
1⤵
PID:5064
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /H
  2⤵
  PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /n
1⤵
PID:4624
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /n
  2⤵
  PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /V
1⤵
PID:4596
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /V
  2⤵
  PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /P
1⤵
PID:2292
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /P
  2⤵
  PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /b
1⤵
PID:4716
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /b
  2⤵
  PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /b
1⤵
PID:1132
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /b
  2⤵
  PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /l
1⤵
PID:5684
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /l
  2⤵
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /m
1⤵
PID:3812
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /m
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /X
1⤵
PID:3980
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /X
  2⤵
  PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /C
1⤵
PID:1564
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /C
  2⤵
  PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /R
1⤵
PID:5300
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /R
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /f
1⤵
PID:4392
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /V
1⤵
PID:4940
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /V
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /u
1⤵
PID:5964
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /u
  2⤵
  PID:264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /x
1⤵
PID:1864
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /x
  2⤵
  PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /L
1⤵
PID:1184
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /L
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /Q
1⤵
PID:5968
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /Q
  2⤵
  PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /H
1⤵
PID:5348
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /H
  2⤵
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /A
1⤵
PID:2064
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /A
  2⤵
  PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /Q
1⤵
PID:2272
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /Q
  2⤵
  PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /m
1⤵
PID:4412
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /m
  2⤵
  PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /h
1⤵
PID:2016
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /h
  2⤵
  PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /B
1⤵
PID:6032
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /T
1⤵
PID:2144
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /T
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /V
1⤵
PID:4780
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /V
  2⤵
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /Y
1⤵
PID:2392
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /Y
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /F
1⤵
PID:3388
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /F
  2⤵
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /c
1⤵
PID:468
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /c
  2⤵
  PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /n
1⤵
PID:1720
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /n
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /v
1⤵
PID:5984
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /v
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /l
1⤵
PID:4604
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /l
  2⤵
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /X
1⤵
PID:3800
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /X
  2⤵
  PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /F
1⤵
PID:5492
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /K
1⤵
PID:3524
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /K
  2⤵
  PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /H
1⤵
PID:3968
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /H
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /n
1⤵
PID:1732
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /n
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /J
1⤵
PID:5440
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /J
  2⤵
  PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /q
1⤵
PID:4788
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /q
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /V
1⤵
PID:216
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /V
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /Z
1⤵
PID:3632
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /Z
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /T
1⤵
PID:1560
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /T
  2⤵
  PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /W
1⤵
PID:4516
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /W
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /X
1⤵
PID:4880
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /X
  2⤵
  PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /p
1⤵
PID:864
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /p
  2⤵
  PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /q
1⤵
PID:5268
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /q
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /a
1⤵
PID:5656
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /a
  2⤵
  PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /X
1⤵
PID:4704
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /X
  2⤵
  PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /M
1⤵
PID:5640
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /M
  2⤵
  PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /B
1⤵
PID:1660
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /v
1⤵
PID:4480
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /A
1⤵
PID:3160
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /A
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /d
1⤵
PID:3260
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /d
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /A
1⤵
PID:4656
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /A
  2⤵
  PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /M
1⤵
PID:4264
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /M
  2⤵
  PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /O
1⤵
PID:3240
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /O
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /P
1⤵
PID:1784
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /P
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /O
1⤵
PID:4524
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /O
  2⤵
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /e
1⤵
PID:5448
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /e
  2⤵
  - System Location Discovery: System Language Discovery
  PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /D
1⤵
PID:4604
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /D
  2⤵
  PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /H
1⤵
PID:3752
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /H
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\bueovux.exe /o
1⤵
PID:4828
- C:\Users\Admin\bueovux.exe
  C:\Users\Admin\bueovux.exe /o
  2⤵
  PID:916

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3C22.B8C

Filesize
600B

MD5
84a14f882f0b8518e0807ffd82962a85

SHA1
af405dcda2c57fb2dc3b4ca565e0d4cde7f75751

SHA256
6d8f4b4fe1a3f9054cbd691c1f9fb6a202e91f44d672d7a21a66c8d61b29011c

SHA512
a403f71c0bf216f6f9d9084815fe249ec9165283b6a710c45be778fbf2b3f28fe1499684b5fdd02858f976d013ae37e10e0001255937a812e2fdd1b3fc995d51

Download Submit
C:\Users\Admin\AppData\Roaming\3C22.B8C

Filesize
996B

MD5
1bd9a94e9ac4b2d1ce7042f60d5cfc90

SHA1
f74453a8b3964819b264adafb18b68e9a03f3e5b

SHA256
ed633bf5d551a32d290db0af6c40d5d90f57051d312c2117c32c16e81a029d79

SHA512
799159d497cd92d4c02cf7bf17dc45227c1fccc93f9b9b256f56aaa5ad7e35c56855d242841fecfaad1bdeb9e649fb30b3a4691773168ea1c5d3d8c03566833e

Download Submit
C:\Users\Admin\AppData\Roaming\3C22.B8C

Filesize
1KB

MD5
e45d28f7b9b2bbb4b3e6b659f6807170

SHA1
7f52c703237f6f0dcf87c0ceac7ceeb28b532b34

SHA256
6f2c754899b48eb3a3370e1382994c20f233c81749755410db58fd11b584763c

SHA512
1ab4f7553d1056d5c5035b376b7f9a8679d3311173d6b1909b3f06dcb0b96fafdbdc15877edbbb21b09d304642ef620bd7ad27bda379d416c1ee19b770896aaa

Download Submit
C:\Users\Admin\V6oUpCF0mC.exe

Filesize
332KB

MD5
b96dc0230580570446ab648e20a7e3b3

SHA1
27483df87ef7093d51062fb2d2fc9944f94c23fb

SHA256
2c65220c1c3ec6cb3282759e1d583b598ad43bf09484239325ae06b961bf0af0

SHA512
b8dd8743eb45f9dcc0d74b5cf450ef2950482e5c33dcdb5ab9494ad2e396d7ea5ebd80d477fca52a25a46cede6e2c31eb2647612090fda72d7e61e49913c042f

Download Submit
C:\Users\Admin\ayhost.exe

Filesize
68KB

MD5
2c7c2d4e9c03a1818621def0e1281a81

SHA1
c92b29a7f6e9998c7a86b9b57cff15f28647a127

SHA256
9fb6cf502b6a872ed2e58666672db9fdc0eb57e6ff5a5677b6dbc8de42193f3e

SHA512
431cadf9b1d4de1dd0c5efebd5bae2af2ac0f6c98a2d71a5f7bc72e2421ecf77d67616d805bb643680192de6c8921e894a48a538276492567524c4267a4e4a66

Download Submit
C:\Users\Admin\bueovux.exe

Filesize
332KB

MD5
5f7113b8f03a6dd9c0ca113eb4c726d9

SHA1
60cb3ec1eeb026da9fc5ce35b8e72fc560d726f8

SHA256
f2bbaba70ac622bad74dc422033ffd274c173c999e9db82e9163d9fb1d2381c5

SHA512
b6c486aa858aabe3fd831737c425cf55c4281a4b4e373f666fc779635e9f39c411a533232781a79530bf357df7bba2dcfc1d4bf17ca18a793ee61ba91f6b4c29

Download Submit
C:\Users\Admin\byhost.exe

Filesize
136KB

MD5
1d0f81b6e185ec95e716d2a0b2ba69a1

SHA1
09399ffa69ae8bfd9794104bc4b7b4f481980e3a

SHA256
abe89315434ce50001a90c9bdd662a0c42fa90d95acdf5baed5823d760e4f878

SHA512
6c4ecc1346bfc9952d7a1a2cb30ed5076bec24db099bb3fe20a248b19f56c075ff592d03100a1a3660ad5f47dfaff6a64b6b2bebe1bcbc7ce747f968a4c7e6b1

Download Submit
C:\Users\Admin\cyhost.exe

Filesize
168KB

MD5
234bf3937f8fe09351acc53c059b40d2

SHA1
256f162b65eacc7a1fee35722fbfdbd55bba93c7

SHA256
86c568452305c3943eb7d1530cef65c75f6fac39d178082783db8b12fc8eef2b

SHA512
6c768729abebd0b9bde9712ee827262c433ac928bb638b9176ef7f4085c2d2b4fdfa3cacffdb7da477d23a1e0ce32e63cba2ab9ace1f45dfcc8109b2c68812b7

Download Submit
C:\Users\Admin\dyhost.exe

Filesize
24KB

MD5
9814ec05c8857737f599ba75b1610fb1

SHA1
aa9d9b016c2feda03cf6ad1bbca332070eb9b295

SHA256
a68f44fa166ade605dfd2e5827a8ca3fa21141eda423c096d1f41d9bf172e597

SHA512
c9daf5d8015ab4d5e0c333b986e04a917a596aef6d61baf43f53e5da346e3e665cd16eb5da35726713689dca991a03fbfa137b7f3f879c77779a477a89a0268d

Download Submit
memory/540-68-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/540-70-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/752-91-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1340-235-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1840-5-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1840-522-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1840-103-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1840-7-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1840-4-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3004-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3004-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3004-60-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3104-74-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3640-258-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3640-200-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3640-514-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download