Analysis Report cK2ClsvtJE

Overview

General Information

Sample Name: cK2ClsvtJE (renamed file extension from none to exe)
Analysis ID: 317592
MD5: d702d5945976551dd274448376f4e7d8
SHA1: 7309409ae85f49173401b060089fbf79b4b893b6
SHA256: 05e955f0267f4e980209f79746449b83d3c176bbb2f8ea940eef07ec2818b417

Most interesting Screenshot:

Detection

Emotet
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: cK2ClsvtJE.exe Virustotal: Detection: 60% Perma Link
Source: cK2ClsvtJE.exe Metadefender: Detection: 43% Perma Link
Source: cK2ClsvtJE.exe ReversingLabs: Detection: 72%
Source: cK2ClsvtJE.exe Virustotal: Detection: 60% Perma Link
Source: cK2ClsvtJE.exe Metadefender: Detection: 43% Perma Link
Source: cK2ClsvtJE.exe ReversingLabs: Detection: 72%
Machine Learning detection for sample
Source: cK2ClsvtJE.exe Joe Sandbox ML: detected
Source: cK2ClsvtJE.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02922680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 4_2_02922680
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_029222C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam, 4_2_029222C0
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02921FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap, 4_2_02921FF0
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02922680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 4_2_02922680
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_029222C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam, 4_2_029222C0
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02921FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap, 4_2_02921FF0
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F23A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 1_2_02F23A20
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F23A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 1_2_02F23A20
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02923A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 4_2_02923A20

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.3:49718 -> 190.202.229.74:80
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.3:49730 -> 118.69.11.81:7080
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49732 -> 70.39.251.94:8080
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.3:49742 -> 87.230.25.43:8080
Source: Traffic Snort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.3:49743 -> 94.23.62.116:8080
Source: Traffic Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.3:49718 -> 190.202.229.74:80
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.3:49730 -> 118.69.11.81:7080
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.3:49732 -> 70.39.251.94:8080
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.3:49742 -> 87.230.25.43:8080
Source: Traffic Snort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.3:49743 -> 94.23.62.116:8080
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49730 -> 118.69.11.81:7080
Source: global traffic TCP traffic: 192.168.2.3:49732 -> 70.39.251.94:8080
Source: global traffic TCP traffic: 192.168.2.3:49742 -> 87.230.25.43:8080
Source: global traffic TCP traffic: 192.168.2.3:49743 -> 94.23.62.116:8080
Source: global traffic TCP traffic: 192.168.2.3:49730 -> 118.69.11.81:7080
Source: global traffic TCP traffic: 192.168.2.3:49732 -> 70.39.251.94:8080
Source: global traffic TCP traffic: 192.168.2.3:49742 -> 87.230.25.43:8080
Source: global traffic TCP traffic: 192.168.2.3:49743 -> 94.23.62.116:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 87.230.25.43 87.230.25.43
Source: Joe Sandbox View IP Address: 87.230.25.43 87.230.25.43
Source: Joe Sandbox View IP Address: 94.23.62.116 94.23.62.116
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox View ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: Joe Sandbox View ASN Name: CANTVServiciosVenezuelaVE CANTVServiciosVenezuelaVE
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.3:49718 -> 190.202.229.74:80
Source: global traffic TCP traffic: 192.168.2.3:49718 -> 190.202.229.74:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /pl7M2FpV1h4w7A/3V7UsUDHt/FvyE57Oxtj4SBTHl3d/ofERnscZ0Q0lwIP/gVFPkBSLJ99/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------YzlUCjKU14tSkItawLUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4580Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /pl7M2FpV1h4w7A/3V7UsUDHt/FvyE57Oxtj4SBTHl3d/ofERnscZ0Q0lwIP/gVFPkBSLJ99/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------YzlUCjKU14tSkItawLUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4580Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown HTTP traffic detected: POST /pl7M2FpV1h4w7A/3V7UsUDHt/FvyE57Oxtj4SBTHl3d/ofERnscZ0Q0lwIP/gVFPkBSLJ99/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------YzlUCjKU14tSkItawLUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4580Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /pl7M2FpV1h4w7A/3V7UsUDHt/FvyE57Oxtj4SBTHl3d/ofERnscZ0Q0lwIP/gVFPkBSLJ99/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------------YzlUCjKU14tSkItawLUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4580Cache-Control: no-cache
Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmp String found in binary or memory: http://118.69.11.81:7080/lPWkf5UOGPzKK/pepGd3Y462mujpP2UXh/gWESD/NClY/BIcFyZDA6E/M1XHKzIy4/
Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmp String found in binary or memory: http://118.69.11.81:7080/lPWkf5UOGPzKK/pepGd3Y462mujpP2UXh/gWESD/NClY/BIcFyZDA6E/M1XHKzIy4/TZ
Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmp String found in binary or memory: http://118.69.11.81:7080/lPWkf5UOGPzKK/pepGd3Y462mujpP2UXh/gWESD/NClY/BIcFyZDA6E/M1XHKzIy4/id3Z
Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmp String found in binary or memory: http://70.39.251.94:8080/ZXuOy1n8fat5Qa/
Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmp String found in binary or memory: http://70.39.251.94:8080/ZXuOy1n8fat5Qa/dB
Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmp String found in binary or memory: http://70.39.251.94:8080/ZXuOy1n8fat5Qa/pData
Source: GlobCollationHost.exe, 00000004.00000002.487038775.0000000002A34000.00000004.00000001.sdmp String found in binary or memory: http://87.230.25.43:8080/9hZu4ZKUd2Y5T8WBm1d/YRjEk9/
Source: GlobCollationHost.exe, 00000004.00000002.487038775.0000000002A34000.00000004.00000001.sdmp String found in binary or memory: http://87.230.25.43:8080/9hZu4ZKUd2Y5T8WBm1d/YRjEk9/X
Source: GlobCollationHost.exe, 00000004.00000002.487038775.0000000002A34000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/pl7M2FpV1h4w7A/3V7UsUDHt/FvyE57Oxtj4SBTHl3d/ofERnscZ0Q0lwIP/gVFPkBSLJ99/
Source: svchost.exe, 00000007.00000002.488719812.000002384C614000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000007.00000002.488719812.000002384C614000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000007.00000002.488637154.000002384C600000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000007.00000002.488323548.000002384C4B0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000011.00000002.312507428.000001ABFB213000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.comr
Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000003.311896345.000001ABFB249000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.311880922.000001ABFB263000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.289855452.000001ABFB232000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.312507428.000001ABFB213000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.289855452.000001ABFB232000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000011.00000003.289855452.000001ABFB232000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000011.00000003.311896345.000001ABFB249000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmp String found in binary or memory: http://118.69.11.81:7080/lPWkf5UOGPzKK/pepGd3Y462mujpP2UXh/gWESD/NClY/BIcFyZDA6E/M1XHKzIy4/
Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmp String found in binary or memory: http://118.69.11.81:7080/lPWkf5UOGPzKK/pepGd3Y462mujpP2UXh/gWESD/NClY/BIcFyZDA6E/M1XHKzIy4/TZ
Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmp String found in binary or memory: http://118.69.11.81:7080/lPWkf5UOGPzKK/pepGd3Y462mujpP2UXh/gWESD/NClY/BIcFyZDA6E/M1XHKzIy4/id3Z
Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmp String found in binary or memory: http://70.39.251.94:8080/ZXuOy1n8fat5Qa/
Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmp String found in binary or memory: http://70.39.251.94:8080/ZXuOy1n8fat5Qa/dB
Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmp String found in binary or memory: http://70.39.251.94:8080/ZXuOy1n8fat5Qa/pData
Source: GlobCollationHost.exe, 00000004.00000002.487038775.0000000002A34000.00000004.00000001.sdmp String found in binary or memory: http://87.230.25.43:8080/9hZu4ZKUd2Y5T8WBm1d/YRjEk9/
Source: GlobCollationHost.exe, 00000004.00000002.487038775.0000000002A34000.00000004.00000001.sdmp String found in binary or memory: http://87.230.25.43:8080/9hZu4ZKUd2Y5T8WBm1d/YRjEk9/X
Source: GlobCollationHost.exe, 00000004.00000002.487038775.0000000002A34000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/pl7M2FpV1h4w7A/3V7UsUDHt/FvyE57Oxtj4SBTHl3d/ofERnscZ0Q0lwIP/gVFPkBSLJ99/
Source: svchost.exe, 00000007.00000002.488719812.000002384C614000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000007.00000002.488719812.000002384C614000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000007.00000002.488637154.000002384C600000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000007.00000002.488323548.000002384C4B0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000011.00000002.312507428.000001ABFB213000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.comr
Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000003.311896345.000001ABFB249000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000003.311958688.000001ABFB25A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.311880922.000001ABFB263000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000011.00000003.311927604.000001ABFB260000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.289855452.000001ABFB232000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.312507428.000001ABFB213000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.312684951.000001ABFB23D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000003.312024991.000001ABFB240000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.289855452.000001ABFB232000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000011.00000003.289855452.000001ABFB232000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000011.00000003.311896345.000001ABFB249000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000001.00000002.222966420.0000000002F21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.221574418.0000000002A54000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.486175909.00000000028A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.486354323.00000000028E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.486498394.0000000002921000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.221459912.0000000002A10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.GlobCollationHost.exe.2920000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cK2ClsvtJE.exe.2f20000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02922680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 4_2_02922680
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02922680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 4_2_02922680

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe File created: C:\Windows\SysWOW64\HoloShellRuntime\ Jump to behavior
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe File created: C:\Windows\SysWOW64\HoloShellRuntime\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe File deleted: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe File deleted: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F286F0 1_2_02F286F0
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F28330 1_2_02F28330
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F23CE0 1_2_02F23CE0
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F23EE0 1_2_02F23EE0
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F242C9 1_2_02F242C9
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F241B7 1_2_02F241B7
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F24190 1_2_02F24190
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F26860 1_2_02F26860
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F27B30 1_2_02F27B30
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A1A28E 1_2_02A1A28E
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A196CE 1_2_02A196CE
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A19ECE 1_2_02A19ECE
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A15E67 1_2_02A15E67
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A27669 1_2_02A27669
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A15A7E 1_2_02A15A7E
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A183FE 1_2_02A183FE
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A1587E 1_2_02A1587E
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A15D2E 1_2_02A15D2E
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A15D55 1_2_02A15D55
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F286F0 1_2_02F286F0
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F28330 1_2_02F28330
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F23CE0 1_2_02F23CE0
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F23EE0 1_2_02F23EE0
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F242C9 1_2_02F242C9
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F241B7 1_2_02F241B7
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F24190 1_2_02F24190
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F26860 1_2_02F26860
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F27B30 1_2_02F27B30
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A1A28E 1_2_02A1A28E
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A196CE 1_2_02A196CE
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A19ECE 1_2_02A19ECE
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A15E67 1_2_02A15E67
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A27669 1_2_02A27669
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A15A7E 1_2_02A15A7E
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A183FE 1_2_02A183FE
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A1587E 1_2_02A1587E
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A15D2E 1_2_02A15D2E
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A15D55 1_2_02A15D55
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_029286F0 4_2_029286F0
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02924190 4_2_02924190
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_029241B7 4_2_029241B7
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_029242C9 4_2_029242C9
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02923CE0 4_2_02923CE0
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02923EE0 4_2_02923EE0
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02928330 4_2_02928330
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02927B30 4_2_02927B30
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02926860 4_2_02926860
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_028AA28E 4_2_028AA28E
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_028A96CE 4_2_028A96CE
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_028A9ECE 4_2_028A9ECE
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_028B7669 4_2_028B7669
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_028A5E67 4_2_028A5E67
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_028A5A7E 4_2_028A5A7E
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_028A83FE 4_2_028A83FE
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_028A587E 4_2_028A587E
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_028A5D2E 4_2_028A5D2E
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_028A5D55 4_2_028A5D55
Sample file is different than original file name gathered from version info
Source: cK2ClsvtJE.exe, 00000001.00000002.223365809.00000000031F0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs cK2ClsvtJE.exe
Source: cK2ClsvtJE.exe, 00000001.00000002.223365809.00000000031F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs cK2ClsvtJE.exe
Source: cK2ClsvtJE.exe, 00000001.00000002.223438087.0000000003220000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs cK2ClsvtJE.exe
Source: cK2ClsvtJE.exe, 00000001.00000002.223365809.00000000031F0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs cK2ClsvtJE.exe
Source: cK2ClsvtJE.exe, 00000001.00000002.223365809.00000000031F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs cK2ClsvtJE.exe
Source: cK2ClsvtJE.exe, 00000001.00000002.223438087.0000000003220000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs cK2ClsvtJE.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winEXE@19/13@0/6
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle, 1_2_02F28CA0
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle, 1_2_02F28CA0
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02924FD0 Process32NextW,Process32FirstW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification, 4_2_02924FD0
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02924FD0 Process32NextW,Process32FirstW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification, 4_2_02924FD0
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F25390 ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap, 1_2_02F25390
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F25390 ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap, 1_2_02F25390
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edb Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edb Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3396:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3396:120:WilError_01
Source: cK2ClsvtJE.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: cK2ClsvtJE.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: cK2ClsvtJE.exe Virustotal: Detection: 60%
Source: cK2ClsvtJE.exe Metadefender: Detection: 43%
Source: cK2ClsvtJE.exe ReversingLabs: Detection: 72%
Source: cK2ClsvtJE.exe Virustotal: Detection: 60%
Source: cK2ClsvtJE.exe Metadefender: Detection: 43%
Source: cK2ClsvtJE.exe ReversingLabs: Detection: 72%
Source: unknown Process created: C:\Users\user\Desktop\cK2ClsvtJE.exe 'C:\Users\user\Desktop\cK2ClsvtJE.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown Process created: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Process created: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\cK2ClsvtJE.exe 'C:\Users\user\Desktop\cK2ClsvtJE.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown Process created: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Process created: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A51030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 1_2_02A51030
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A51030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 1_2_02A51030
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F260F0 push ecx; mov dword ptr [esp], 0000A172h 1_2_02F260F1
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F262D0 push ecx; mov dword ptr [esp], 00001969h 1_2_02F262D1
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F261D0 push ecx; mov dword ptr [esp], 00004B56h 1_2_02F261D1
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F261B0 push ecx; mov dword ptr [esp], 000003A6h 1_2_02F261B1
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F262A0 push ecx; mov dword ptr [esp], 0000BFAAh 1_2_02F262A1
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F26090 push ecx; mov dword ptr [esp], 0000BAD9h 1_2_02F26091
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F26180 push ecx; mov dword ptr [esp], 0000D106h 1_2_02F26181
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F26240 push ecx; mov dword ptr [esp], 00008F23h 1_2_02F26241
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F26140 push ecx; mov dword ptr [esp], 00004AF2h 1_2_02F26141
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F26320 push ecx; mov dword ptr [esp], 00009128h 1_2_02F26321
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F26220 push ecx; mov dword ptr [esp], 00004B50h 1_2_02F26221
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17EBE push ecx; mov dword ptr [esp], 00009128h 1_2_02A17EBF
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17E3E push ecx; mov dword ptr [esp], 0000BFAAh 1_2_02A17E3F
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17E6E push ecx; mov dword ptr [esp], 00001969h 1_2_02A17E6F
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A28B8F push edi; iretd 1_2_02A28BA1
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A33FD9 push ss; iretd 1_2_02A33FDE
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17C8E push ecx; mov dword ptr [esp], 0000A172h 1_2_02A17C8F
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A3449C push ebx; iretd 1_2_02A344AF
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A3449C push FFFFFF95h; iretd 1_2_02A344F1
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17CDE push ecx; mov dword ptr [esp], 00004AF2h 1_2_02A17CDF
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17C2E push ecx; mov dword ptr [esp], 0000BAD9h 1_2_02A17C2F
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17DBE push ecx; mov dword ptr [esp], 00004B50h 1_2_02A17DBF
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17DDE push ecx; mov dword ptr [esp], 00008F23h 1_2_02A17DDF
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17D1E push ecx; mov dword ptr [esp], 0000D106h 1_2_02A17D1F
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17D6E push ecx; mov dword ptr [esp], 00004B56h 1_2_02A17D6F
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17D4E push ecx; mov dword ptr [esp], 000003A6h 1_2_02A17D4F
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F260F0 push ecx; mov dword ptr [esp], 0000A172h 1_2_02F260F1
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F262D0 push ecx; mov dword ptr [esp], 00001969h 1_2_02F262D1
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F261D0 push ecx; mov dword ptr [esp], 00004B56h 1_2_02F261D1
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F261B0 push ecx; mov dword ptr [esp], 000003A6h 1_2_02F261B1
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F262A0 push ecx; mov dword ptr [esp], 0000BFAAh 1_2_02F262A1
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F26090 push ecx; mov dword ptr [esp], 0000BAD9h 1_2_02F26091
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F26180 push ecx; mov dword ptr [esp], 0000D106h 1_2_02F26181
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F26240 push ecx; mov dword ptr [esp], 00008F23h 1_2_02F26241
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F26140 push ecx; mov dword ptr [esp], 00004AF2h 1_2_02F26141
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F26320 push ecx; mov dword ptr [esp], 00009128h 1_2_02F26321
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F26220 push ecx; mov dword ptr [esp], 00004B50h 1_2_02F26221
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17EBE push ecx; mov dword ptr [esp], 00009128h 1_2_02A17EBF
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17E3E push ecx; mov dword ptr [esp], 0000BFAAh 1_2_02A17E3F
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17E6E push ecx; mov dword ptr [esp], 00001969h 1_2_02A17E6F
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A28B8F push edi; iretd 1_2_02A28BA1
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A33FD9 push ss; iretd 1_2_02A33FDE
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17C8E push ecx; mov dword ptr [esp], 0000A172h 1_2_02A17C8F
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A3449C push ebx; iretd 1_2_02A344AF
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A3449C push FFFFFF95h; iretd 1_2_02A344F1
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17CDE push ecx; mov dword ptr [esp], 00004AF2h 1_2_02A17CDF
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17C2E push ecx; mov dword ptr [esp], 0000BAD9h 1_2_02A17C2F
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17DBE push ecx; mov dword ptr [esp], 00004B50h 1_2_02A17DBF
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17DDE push ecx; mov dword ptr [esp], 00008F23h 1_2_02A17DDF
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17D1E push ecx; mov dword ptr [esp], 0000D106h 1_2_02A17D1F
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17D6E push ecx; mov dword ptr [esp], 00004B56h 1_2_02A17D6F
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A17D4E push ecx; mov dword ptr [esp], 000003A6h 1_2_02A17D4F
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02926090 push ecx; mov dword ptr [esp], 0000BAD9h 4_2_02926091
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02926180 push ecx; mov dword ptr [esp], 0000D106h 4_2_02926181
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_029261B0 push ecx; mov dword ptr [esp], 000003A6h 4_2_029261B1
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_029262A0 push ecx; mov dword ptr [esp], 0000BFAAh 4_2_029262A1
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_029262D0 push ecx; mov dword ptr [esp], 00001969h 4_2_029262D1

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Executable created and started: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Jump to behavior
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Executable created and started: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe PE file moved: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Jump to behavior
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe PE file moved: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe File opened: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe File opened: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap, 1_2_02F25390
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap, 1_2_02F25390
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6700 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6700 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F23A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 1_2_02F23A20
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F23A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 1_2_02F23A20
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02923A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 4_2_02923A20
Source: svchost.exe, 00000006.00000002.238658443.00000289C3D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.289264774.0000026208340000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.485679936.000001F7576C0000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.309956263.00000273636A0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000007.00000002.488872425.000002384C65E000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.484790522.00000233F8A02000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.488839212.000002384C647000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.238658443.00000289C3D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.289264774.0000026208340000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.485679936.000001F7576C0000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.309956263.00000273636A0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000006.00000002.238658443.00000289C3D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.289264774.0000026208340000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.485679936.000001F7576C0000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.309956263.00000273636A0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000D.00000002.485230682.00000233F8A40000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.484791655.000002C702229000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000006.00000002.238658443.00000289C3D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.289264774.0000026208340000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.485679936.000001F7576C0000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.309956263.00000273636A0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000006.00000002.238658443.00000289C3D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.289264774.0000026208340000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.485679936.000001F7576C0000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.309956263.00000273636A0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000007.00000002.488872425.000002384C65E000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.484790522.00000233F8A02000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: GlobCollationHost.exe, 00000004.00000003.362692520.0000000002A49000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.488839212.000002384C647000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.238658443.00000289C3D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.289264774.0000026208340000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.485679936.000001F7576C0000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.309956263.00000273636A0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000006.00000002.238658443.00000289C3D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.289264774.0000026208340000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.485679936.000001F7576C0000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.309956263.00000273636A0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000D.00000002.485230682.00000233F8A40000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.485004591.000001F757040000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.484791655.000002C702229000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000006.00000002.238658443.00000289C3D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.289264774.0000026208340000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.485679936.000001F7576C0000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.309956263.00000273636A0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A51030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 1_2_02A51030
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A51030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 1_2_02A51030
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F24190 mov eax, dword ptr fs:[00000030h] 1_2_02F24190
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F25140 mov eax, dword ptr fs:[00000030h] 1_2_02F25140
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A16CDE mov eax, dword ptr fs:[00000030h] 1_2_02A16CDE
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A10456 mov eax, dword ptr fs:[00000030h] 1_2_02A10456
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A15D2E mov eax, dword ptr fs:[00000030h] 1_2_02A15D2E
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A1095E mov eax, dword ptr fs:[00000030h] 1_2_02A1095E
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A51030 mov eax, dword ptr fs:[00000030h] 1_2_02A51030
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F24190 mov eax, dword ptr fs:[00000030h] 1_2_02F24190
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02F25140 mov eax, dword ptr fs:[00000030h] 1_2_02F25140
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A16CDE mov eax, dword ptr fs:[00000030h] 1_2_02A16CDE
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A10456 mov eax, dword ptr fs:[00000030h] 1_2_02A10456
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A15D2E mov eax, dword ptr fs:[00000030h] 1_2_02A15D2E
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A1095E mov eax, dword ptr fs:[00000030h] 1_2_02A1095E
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A51030 mov eax, dword ptr fs:[00000030h] 1_2_02A51030
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02924190 mov eax, dword ptr fs:[00000030h] 4_2_02924190
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02925140 mov eax, dword ptr fs:[00000030h] 4_2_02925140
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_028A6CDE mov eax, dword ptr fs:[00000030h] 4_2_028A6CDE
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_028A0456 mov eax, dword ptr fs:[00000030h] 4_2_028A0456
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_028A5D2E mov eax, dword ptr fs:[00000030h] 4_2_028A5D2E
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_028A095E mov eax, dword ptr fs:[00000030h] 4_2_028A095E
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_028E1030 mov eax, dword ptr fs:[00000030h] 4_2_028E1030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A51030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 1_2_02A51030
Source: C:\Users\user\Desktop\cK2ClsvtJE.exe Code function: 1_2_02A51030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 1_2_02A51030
Source: GlobCollationHost.exe, 00000004.00000002.486034143.0000000001490000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.486209677.000001C383260000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: GlobCollationHost.exe, 00000004.00000002.486034143.0000000001490000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.486209677.000001C383260000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: GlobCollationHost.exe, 00000004.00000002.486034143.0000000001490000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.486209677.000001C383260000.00000002.00000001.sdmp Binary or memory string: Progman
Source: GlobCollationHost.exe, 00000004.00000002.486034143.0000000001490000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.486209677.000001C383260000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: GlobCollationHost.exe, 00000004.00000002.486034143.0000000001490000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.486209677.000001C383260000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: GlobCollationHost.exe, 00000004.00000002.486034143.0000000001490000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.486209677.000001C383260000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: GlobCollationHost.exe, 00000004.00000002.486034143.0000000001490000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.486209677.000001C383260000.00000002.00000001.sdmp Binary or memory string: Progman
Source: GlobCollationHost.exe, 00000004.00000002.486034143.0000000001490000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.486209677.000001C383260000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edb VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB\tmp.edb VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02925720 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 4_2_02925720
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Code function: 4_2_02925720 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 4_2_02925720
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\HoloShellRuntime\GlobCollationHost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000013.00000002.484989961.0000023140251000.00000004.00000001.sdmp Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000013.00000002.484823954.0000023140213000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000013.00000002.484989961.0000023140251000.00000004.00000001.sdmp Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000013.00000002.484823954.0000023140213000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000001.00000002.222966420.0000000002F21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.221574418.0000000002A54000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.486175909.00000000028A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.486354323.00000000028E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.486498394.0000000002921000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.221459912.0000000002A10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.GlobCollationHost.exe.2920000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cK2ClsvtJE.exe.2f20000.1.unpack, type: UNPACKEDPE