Windows Analysis Report
SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe
Analysis ID: 1428478
MD5: 180e97a753b38a75031487130f0f33fe
SHA1: d5b3e1a7806b95a88db68846604d780066f464fb
SHA256: a7bb98097d03e4038ddf04cc17954b7a66e29f0f66f9c7b75821776fe80cf13b
Tags: exe
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for sample
Potentially malicious time measurement code found
Self deletion via cmd or bat file
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query network adapater information
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe ReversingLabs: Detection: 68%
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 52.159.126.152:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.159.126.152:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.159.126.152:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.248.236.58:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.159.126.152:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.248.236.58:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.159.126.152:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.159.126.152:443 -> 192.168.2.6:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.159.126.152:443 -> 192.168.2.6:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49760 version: TLS 1.2
Source: SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: AitStatic.pdbGCTL source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AitStatic.pdb source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 8.212.47.137 ports 8379,8052,3,7,8,9
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49755
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49710 -> 8.212.47.137:8379
Source: global traffic TCP traffic: 192.168.2.6:49713 -> 47.57.240.88:9187
Source: global traffic TCP traffic: 192.168.2.6:49729 -> 8.212.54.142:9187
Source: global traffic TCP traffic: 192.168.2.6:49730 -> 47.108.224.157:28012
Source: global traffic TCP traffic: 192.168.2.6:49744 -> 47.243.79.202:9578
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 8.212.47.137:8379Content-Length: 96
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 8.212.47.137:8379Content-Length: 96
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 8.212.47.137:8379Content-Length: 96
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 8.212.47.137:8379Content-Length: 96
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 8.212.47.137:8379Content-Length: 144
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 8.212.47.137:8379Content-Length: 144
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 8.212.47.137:8379Content-Length: 144
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 8.212.47.137:8379Content-Length: 144
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 8.212.47.137:8379Content-Length: 144
Source: global traffic HTTP traffic detected: GET /64/pk20.txt HTTP/1.1Connection: Keep-AliveHost: cq-aliyun.oss-cn-hongkong.aliyuncs.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 8.212.47.137:8379Content-Length: 144
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 8.212.47.137:8379Content-Length: 144
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 8.212.47.137:8379Content-Length: 144
Source: global traffic HTTP traffic detected: GET /c HTTP/1.1Host: 47.243.40.96
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 8.212.47.137:8379Content-Length: 144
Source: global traffic HTTP traffic detected: GET /32/pk20.txt HTTP/1.1Host: cq-aliyun.oss-cn-hongkong.aliyuncs.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 8.212.47.137:8379Content-Length: 144
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 8.212.47.137:8379Content-Length: 96
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /index/download/notice HTTP/1.1Connection: Keep-AliveContent-Type: application/json;charset=UTF-8User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36Content-Length: 75Host: site01.skfcafob.com
Source: global traffic HTTP traffic detected: POST /index/download/task HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36Content-Length: 9Host: site01.skfcafob.com
Source: global traffic HTTP traffic detected: GET /cccccc.txt HTTP/1.1Connection: Keep-AliveUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36Host: gfak.oss-cn-hongkong.aliyuncs.com
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 8.212.47.137
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: unknown TCP traffic detected without corresponding DNS query: 47.57.240.88
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D447D7 recv, 2_2_00D447D7
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=yAkzWxMlToUhGeV&MD=6sbOoHXV HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=yAkzWxMlToUhGeV&MD=6sbOoHXV HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /cccccc.txt HTTP/1.1Connection: Keep-AliveUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36Host: gfak.oss-cn-hongkong.aliyuncs.com
Source: global traffic HTTP traffic detected: GET /64/pk20.txt HTTP/1.1Connection: Keep-AliveHost: cq-aliyun.oss-cn-hongkong.aliyuncs.com
Source: global traffic HTTP traffic detected: GET /c HTTP/1.1Host: 47.243.40.96
Source: global traffic HTTP traffic detected: GET /32/pk20.txt HTTP/1.1Host: cq-aliyun.oss-cn-hongkong.aliyuncs.com
Source: unknown DNS traffic detected: queries for: gfak.oss-cn-hongkong.aliyuncs.com
Source: unknown HTTP traffic detected: POST /index/download/notice HTTP/1.1Connection: Keep-AliveContent-Type: application/json;charset=UTF-8User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36Content-Length: 75Host: site01.skfcafob.com
Source: CertEnrollCtrl.exe, 0000000E.00000003.3081561434.0000000000A5C000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081243755.0000000000A55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.243.40.96/c;
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.3243837720.000001D26BDDD000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.3243949171.000001D26BDE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cq-aliyun.oss-cn-hongkong.aliyuncs.com/
Source: sihost.exe, 00000002.00000003.2807870230.000001D63F49A000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000002.00000003.2818947779.000001D63F6C4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cq-aliyun.oss-cn-hongkong.aliyuncs.com/32/pk20.txt
Source: sihost.exe, 00000002.00000003.2807870230.000001D63F49A000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000002.00000003.2818947779.000001D63F6C4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cq-aliyun.oss-cn-hongkong.aliyuncs.com/32/pk20.txtget
Source: AppHostRegistrationVerifier.exe, 0000000C.00000002.4562854966.000001D26BF3E000.00000002.00000001.00020000.00000000.sdmp String found in binary or memory: http://cq-aliyun.oss-cn-hongkong.aliyuncs.com/64/pk%02d.txt
Source: AppHostRegistrationVerifier.exe, 0000000C.00000002.4562120260.000001D26BDFA000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000002.4558141604.000001D26BDAB000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.3243215817.000001D26BDF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cq-aliyun.oss-cn-hongkong.aliyuncs.com/64/pk20.txt
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2642966828.000001D26BDF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cq-aliyun.oss-cn-hongkong.aliyuncs.com/64/pk20.txtL
Source: AppHostRegistrationVerifier.exe, 0000000C.00000002.4558141604.000001D26BDAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cq-aliyun.oss-cn-hongkong.aliyuncs.com:80/64/pk20.txt
Source: sihost.exe, 00000002.00000003.2818600420.000001D63E9AF000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000002.00000003.2807870230.000001D63F5E3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: sihost.exe, 00000002.00000003.2818600420.000001D63E9AF000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000002.00000003.2807870230.000001D63F5E3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: CertEnrollCtrl.exe, 0000000E.00000003.2451348396.0000000000A54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gfak.oss-cn-hongkong.aliyuncs.com/
Source: sihost.exe, 00000002.00000003.2631449033.000001D63E9C9000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000002.00000003.2818786283.000001D63E9CB000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000002.00000003.2425327932.000001D63E9CB000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000002.00000003.2818600420.000001D63E9C9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://gfak.oss-cn-hongkong.aliyuncs.com/cccccc.txtdomainget_taskupload
Source: sihost.exe, 00000002.00000003.2818600420.000001D63E9AF000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000002.00000003.2807870230.000001D63F5E3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: CertEnrollCtrl.exe, 0000000E.00000003.3081561434.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081243755.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://47.57.238.48/pk/che
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.3243894069.000001D26BDE0000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.3243492528.000001D26BDD3000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.3243837720.000001D26BDDD000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000002.4562070236.000001D26BDE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://47.57.238.48/pk/check.php?cid=10000020&
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.3243949171.000001D26BDE5000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081561434.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081243755.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://47.57.238.48/pk/check.php?cid=10000020&u=%u
Source: CertEnrollCtrl.exe, 0000000E.00000003.3080845232.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081561434.0000000000A74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://47.57.238.48/pk/check.php?cid=10000020&u=%uef0
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.3243215817.000001D26BE1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://47.57.238.48/pk/check.php?cid=10000020&u=%uwsock.dll
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.3243894069.000001D26BDE0000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.3243492528.000001D26BDD3000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.3243837720.000001D26BDDD000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000002.4562070236.000001D26BDE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://47.57.238.48/pk/check.php?cid=100i
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.3243894069.000001D26BDE0000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.3243492528.000001D26BDD3000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.3243837720.000001D26BDDD000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000002.4562070236.000001D26BDE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://47.57.238.48/pk/check.php?cid=100ion
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.3243215817.000001D26BE1A000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.3243700050.000001D26BDFB000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.3243215817.000001D26BDF9000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081561434.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3080845232.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081561434.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081243755.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081561434.0000000000A5C000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081243755.0000000000A55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://47.57.238.48/pk/l.php?cid=10000020&tm=%u
Source: CertEnrollCtrl.exe, 0000000E.00000003.3081561434.0000000000A5C000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081243755.0000000000A55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://47.57.238.48/pk/l.php?cid=10000020&tm=%uk20.txt
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.3243215817.000001D26BE1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://47.57.238.48/pk/l.php?cid=10000020&tm=%ushqos.dllB
Source: CertEnrollCtrl.exe, 0000000E.00000003.3081243755.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081561434.0000000000A5C000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081243755.0000000000A55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://47.57.238.48/pk/s.php?cid=10000020&u=%u
Source: CertEnrollCtrl.exe, 0000000E.00000003.3081561434.0000000000A5C000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081243755.0000000000A55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://47.57.238.48/pk/s.php?cid=10000020&u=%u%u0.txt
Source: CertEnrollCtrl.exe, 0000000E.00000003.3081561434.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081243755.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://47.57.238.48/pk/s.php?cid=10000020&u=%u-0
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.3243894069.000001D26BDE0000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.3243492528.000001D26BDD3000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.3243837720.000001D26BDDD000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000002.4562070236.000001D26BDE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://47.57.238.48/pk/s.php?cid=10000020&u=%uU
Source: CertEnrollCtrl.exe, 0000000E.00000003.3081561434.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081243755.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://47.57.238.48/pk/s.php?cid=10000020&u=%uf
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.3243894069.000001D26BDE0000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.3243492528.000001D26BDD3000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.3243837720.000001D26BDDD000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000002.4562070236.000001D26BDE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://47.57.238.48/pk/s.php?cid=10000020&u=%ui
Source: CertEnrollCtrl.exe, 0000000E.00000003.3081561434.0000000000A74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kgwl.oss-cn-hongkong.aliyuncs.com/7799.exe
Source: CertEnrollCtrl.exe, 0000000E.00000003.3081561434.0000000000A74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kgwl.oss-cn-hongkong.aliyuncs.com/Data.exe
Source: sihost.exe, 00000002.00000003.2818600420.000001D63E9AF000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000002.00000003.2807870230.000001D63F5E3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: CertEnrollCtrl.exe, 0000000E.00000003.2451386569.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://site01.skfcafob.com
Source: CertEnrollCtrl.exe, 0000000E.00000003.2480495959.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.2480692688.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://site01.skfcafob.com/
Source: CertEnrollCtrl.exe, 0000000E.00000003.2480495959.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.2480692688.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://site01.skfcafob.com/e
Source: CertEnrollCtrl.exe, 0000000E.00000003.2480495959.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://site01.skfcafob.com/index/download/notice
Source: CertEnrollCtrl.exe, 0000000E.00000003.2480495959.0000000000A55000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.2480692688.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://site01.skfcafob.com/index/download/task
Source: CertEnrollCtrl.exe, 0000000E.00000003.2480495959.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.2480692688.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://site01.skfcafob.com/index/download/taskM
Source: CertEnrollCtrl.exe, 0000000E.00000003.2480495959.0000000000A55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://site01.skfcafob.com/index/download/taskf
Source: CertEnrollCtrl.exe, 0000000E.00000003.2480495959.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.2480692688.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://site01.skfcafob.com/v
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown HTTPS traffic detected: 52.159.126.152:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.159.126.152:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.159.126.152:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.248.236.58:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.159.126.152:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.248.236.58:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.159.126.152:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.159.126.152:443 -> 192.168.2.6:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.159.126.152:443 -> 192.168.2.6:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.25.241.18:443 -> 192.168.2.6:49760 version: TLS 1.2
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_004E1660 NtQuerySystemInformation, 0_2_004E1660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_004E1678 NtQuerySystemInformation, 0_2_004E1678
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D19DA0 NtQuerySystemInformation, 2_2_00D19DA0
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D19F70 NtQuerySystemInformation,NtQuerySystemInformation, 2_2_00D19F70
Source: C:\Windows\System32\sihost.exe Code function: 2_2_000001D63EAC1320 NtQuerySystemInformation, 2_2_000001D63EAC1320
Source: C:\Windows\System32\sihost.exe Code function: 2_2_000001D63EAC1800 NtCreateThreadEx,FindCloseChangeNotification, 2_2_000001D63EAC1800
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26BF02A60 NtQuerySystemInformation, 12_2_000001D26BF02A60
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26BF02C80 NtQueryInformationProcess, 12_2_000001D26BF02C80
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_004E83AE 0_2_004E83AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0059476C 0_2_0059476C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_004EE8FE 0_2_004EE8FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_004F0B79 0_2_004F0B79
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_004EEE70 0_2_004EEE70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0058D2FA 0_2_0058D2FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_004E1140 0_2_004E1140
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0058D2FA 0_2_0058D2FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0059132B 0_2_0059132B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_004EF3E2 0_2_004EF3E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0058D39E 0_2_0058D39E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_004E7440 0_2_004E7440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_004EB895 0_2_004EB895
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_004EFB8A 0_2_004EFB8A
Source: C:\Windows\System32\sihost.exe Code function: 2_3_000001D63EE601BE 2_3_000001D63EE601BE
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D14E60 2_2_00D14E60
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D111B0 2_2_00D111B0
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D1D17C 2_2_00D1D17C
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D11290 2_2_00D11290
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D27250 2_2_00D27250
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D12410 2_2_00D12410
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D265C0 2_2_00D265C0
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D1C564 2_2_00D1C564
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D29510 2_2_00D29510
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D1C870 2_2_00D1C870
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D22A14 2_2_00D22A14
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D29C90 2_2_00D29C90
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D22DC4 2_2_00D22DC4
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D1EDF4 2_2_00D1EDF4
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D25D5C 2_2_00D25D5C
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D2BE48 2_2_00D2BE48
Source: C:\Windows\System32\sihost.exe Code function: 2_2_0000000180010158 2_2_0000000180010158
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00000001800125BC 2_2_00000001800125BC
Source: C:\Windows\System32\sihost.exe Code function: 2_2_0000000180011B2C 2_2_0000000180011B2C
Source: C:\Windows\System32\sihost.exe Code function: 2_2_000001D63EACD5F4 2_2_000001D63EACD5F4
Source: C:\Windows\System32\sihost.exe Code function: 2_2_000001D63EACA3C8 2_2_000001D63EACA3C8
Source: C:\Windows\System32\sihost.exe Code function: 2_2_000001D63EAC53AC 2_2_000001D63EAC53AC
Source: C:\Windows\System32\sihost.exe Code function: 2_2_000001D63EAC3414 2_2_000001D63EAC3414
Source: C:\Windows\System32\sihost.exe Code function: 2_2_000001D63EAD11AC 2_2_000001D63EAD11AC
Source: C:\Windows\System32\sihost.exe Code function: 2_2_000001D63EAC6188 2_2_000001D63EAC6188
Source: C:\Windows\System32\sihost.exe Code function: 2_2_000001D63EACD244 2_2_000001D63EACD244
Source: C:\Windows\System32\sihost.exe Code function: 2_2_000001D63EAD209C 2_2_000001D63EAD209C
Source: C:\Windows\System32\sihost.exe Code function: 2_2_000001D63EAC50DC 2_2_000001D63EAC50DC
Source: C:\Windows\System32\sihost.exe Code function: 2_2_000001D63EAC5E38 2_2_000001D63EAC5E38
Source: C:\Windows\System32\sihost.exe Code function: 2_2_000001D63EAC59D4 2_2_000001D63EAC59D4
Source: C:\Windows\System32\sihost.exe Code function: 2_2_000001D63EAD0948 2_2_000001D63EAD0948
Source: C:\Windows\System32\sihost.exe Code function: 2_2_000001D63EAC7A7C 2_2_000001D63EAC7A7C
Source: C:\Windows\System32\sihost.exe Code function: 2_2_000001D63EAC7770 2_2_000001D63EAC7770
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26B9B529F 12_2_000001D26B9B529F
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26B9BB2D4 12_2_000001D26B9BB2D4
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26B9BFA3C 12_2_000001D26B9BFA3C
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26B9B5A70 12_2_000001D26B9B5A70
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26B9B76B8 12_2_000001D26B9B76B8
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26B9BB684 12_2_000001D26B9BB684
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26B9BEDAC 12_2_000001D26B9BEDAC
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26B9B85F4 12_2_000001D26B9B85F4
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26B9BE548 12_2_000001D26B9BE548
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26BF30B80 12_2_000001D26BF30B80
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26BF04B80 12_2_000001D26BF04B80
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26BF21B5C 12_2_000001D26BF21B5C
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26BF229FC 12_2_000001D26BF229FC
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26BF01070 12_2_000001D26BF01070
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26BF21958 12_2_000001D26BF21958
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26BF22678 12_2_000001D26BF22678
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26BF2AD18 12_2_000001D26BF2AD18
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/1@3/11
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_004E25DA AdjustTokenPrivileges,FindCloseChangeNotification,WSAStartup, 0_2_004E25DA
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D1A720 GetProcAddress,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,AdjustTokenPrivileges,FindCloseChangeNotification,WSAStartup, 2_2_00D1A720
Source: C:\Windows\System32\sihost.exe Code function: 2_2_0000000180007462 AdjustTokenPrivileges, 2_2_0000000180007462
Source: C:\Windows\System32\sihost.exe Code function: 2_2_0000000180002890 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification, 2_2_0000000180002890
Source: C:\Windows\System32\sihost.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\1723392131
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\1223443280
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\oifacveqzqn
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\n171989023
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4188:120:WilError_03
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\1745317736
Source: C:\Windows\System32\sihost.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\71e9c6620d381d60196ebe694840aab3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe ReversingLabs: Detection: 68%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c del /f/q "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe" > nul
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sihost.exe Process created: C:\Windows\System32\AppHostRegistrationVerifier.exe "C:\Windows\system32\AppHostRegistrationVerifier.exe"
Source: C:\Windows\System32\sihost.exe Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"
Source: C:\Windows\System32\sihost.exe Process created: C:\Windows\SysWOW64\CertEnrollCtrl.exe "C:\Windows\SysWOW64\CertEnrollCtrl.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c del /f/q "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe" > nul Jump to behavior
Source: C:\Windows\System32\sihost.exe Process created: C:\Windows\System32\AppHostRegistrationVerifier.exe "C:\Windows\system32\AppHostRegistrationVerifier.exe" Jump to behavior
Source: C:\Windows\System32\sihost.exe Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe" Jump to behavior
Source: C:\Windows\System32\sihost.exe Process created: C:\Windows\SysWOW64\CertEnrollCtrl.exe "C:\Windows\SysWOW64\CertEnrollCtrl.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: certca.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: certenroll.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: dsparse.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\sihost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41fd88f7-f295-4d39-91ac-a85f3149a05b}\InProcServer32 Jump to behavior
Source: SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: AitStatic.pdbGCTL source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AitStatic.pdb source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D444BE LoadLibraryA,GetProcAddress, 2_2_00D444BE
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .c1
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Static PE information: section name: .c0
Source: SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Static PE information: section name: .c1
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0059424C pushfd ; mov dword ptr [esp], eax 0_2_00585C5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0059371D pushfd ; mov dword ptr [esp], ecx 0_2_00593728
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0058805D push esp; mov dword ptr [esp], edi 0_2_0059ABD3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_00586046 push dword ptr [esp+50h]; retn 0054h 0_2_00592829
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0058807E push dword ptr [esp+50h]; retn 0054h 0_2_00588087
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_00592073 pushfd ; mov dword ptr [esp], ebp 0_2_0059208C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0059000E push dword ptr [esp+50h]; retn 0054h 0_2_0059899F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0058603C push dword ptr [esp+50h]; retn 0054h 0_2_00598320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_00590037 push dword ptr [esp+10h]; retn 0014h 0_2_00590046
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0058A02A push dword ptr [esp+28h]; retn 002Ch 0_2_00585B43
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_004E20C2 push 1DDB0D24h; mov dword ptr [esp], edi 0_2_004E20EA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_005860D6 push dword ptr [esp+50h]; retn 0054h 0_2_00586101
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_005900C4 push dword ptr [esp+24h]; retn 0028h 0_2_005900D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0058E0C7 push dword ptr [esp+60h]; retn 0064h 0_2_00592752
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_005920FE push dword ptr [esp+24h]; retn 0028h 0_2_0058B791
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_005920FE push dword ptr [esp+28h]; retn 002Ch 0_2_00592156
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0058E0F5 push dword ptr [esp+5Ch]; retn 0060h 0_2_0058E108
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_00586093 push dword ptr [esp+4Ch]; retn 0050h 0_2_005890EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0059608D push dword ptr [esp+28h]; retn 002Ch 0_2_005960F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_005880B2 push eax; mov dword ptr [esp], 00000000h 0_2_005880C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0059615B push dword ptr [esp+54h]; retn 0058h 0_2_00591495
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0059615B pushfd ; mov dword ptr [esp], ecx 0_2_00596166
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_004E214A push dword ptr [esp+38h]; retn 003Ch 0_2_005819C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_004E214A push dword ptr [esp+50h]; retn 0054h 0_2_0058215F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0058E148 push dword ptr [esp+30h]; retn 0034h 0_2_0058E164
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0059814D push dword ptr [esp+04h]; mov dword ptr [esp], esp 0_2_00598179
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0058E14E push dword ptr [esp+30h]; retn 0034h 0_2_0058E164
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0058417C push dword ptr [esp+20h]; retn 0024h 0_2_005841A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0059A17F push dword ptr [esp+38h]; retn 003Ch 0_2_0059A1AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_00588173 push dword ptr [esp+30h]; retn 0034h 0_2_005955C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0059A115 push dword ptr [esp+34h]; retn 0038h 0_2_0059A121
Source: SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Static PE information: section name: .c1 entropy: 7.989192901004846

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Process created: cmd.exe /c del /f/q "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe" > nul
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Process created: cmd.exe /c del /f/q "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe" > nul Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 8379
Source: unknown Network traffic detected: HTTP traffic on port 8379 -> 49755
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D1C564 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_00D1C564
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\sihost.exe File opened / queried: vmmemctl Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0058C008 rdtsc 0_2_0058C008
Contains functionality to query network adapater information
Source: C:\Windows\System32\sihost.exe Code function: GetAdaptersInfo, 2_2_00D19D00
Source: C:\Windows\System32\sihost.exe Code function: GetAdaptersInfo, 2_2_00D542C0
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\sihost.exe Thread delayed: delay time: 570000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Window / User API: threadDelayed 1568 Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Window / User API: threadDelayed 6859 Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Window / User API: threadDelayed 7017 Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Window / User API: threadDelayed 472 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\System32\sihost.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Windows\System32\sihost.exe API coverage: 9.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\sihost.exe TID: 1424 Thread sleep time: -570000s >= -30000s Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe TID: 5780 Thread sleep count: 1568 > 30 Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe TID: 5780 Thread sleep time: -15680000s >= -30000s Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe TID: 3648 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe TID: 2216 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe TID: 6136 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe TID: 5780 Thread sleep count: 6859 > 30 Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe TID: 5780 Thread sleep time: -68590000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe TID: 4440 Thread sleep count: 7017 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe TID: 4440 Thread sleep time: -70170000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe TID: 2196 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe TID: 2192 Thread sleep count: 293 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe TID: 2192 Thread sleep time: -293000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe TID: 2192 Thread sleep count: 472 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe TID: 2192 Thread sleep time: -472000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Last function: Thread delayed
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D1A660 GetSystemInfo, 2_2_00D1A660
Source: C:\Windows\System32\sihost.exe Thread delayed: delay time: 570000 Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Thread delayed: delay time: 120000 Jump to behavior
Source: sihost.exe, 00000002.00000002.4566270079.000001D63E70D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWu
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CCM_VirtualMachineInfo
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Msvm_VirtualMachineToDisks
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_PerfRawData_VmmsVirtualMachineStats_HyperVVirtualMachineHealthSummary
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_PerfRawData_Counters_HyperVVirtualMachineBusPipes
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32Reg_SMSGuestVirtualMachine
Source: sihost.exe, 00000002.00000002.4566270079.000001D63E70D000.00000004.00000001.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.3243215817.000001D26BE1A000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000002.4558141604.000001D26BDAB000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.2642966828.000001D26BE1A000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081561434.0000000000A5C000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.2480495959.0000000000A55000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.3081243755.0000000000A55000.00000004.00000020.00020000.00000000.sdmp, CertEnrollCtrl.exe, 0000000E.00000003.2451348396.0000000000A54000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32Reg_SMSGuestVirtualMachine64
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_PerfFormattedData_VmmsVirtualMachineStats_HyperVVirtualMachineHealthSummary
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CCM_VirtualMachineInfoByWMI
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.3243215817.000001D26BE1A000.00000004.00000020.00020000.00000000.sdmp, AppHostRegistrationVerifier.exe, 0000000C.00000003.2642966828.000001D26BE1A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_PerfRawData_Counters_HyperVVirtualMachineBus
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CCM_VirtualMachineInfoByRegKey
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_PerfFormattedData_Counters_HyperVVirtualMachineBusProviderPipes
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_PerfFormattedData_Counters_HyperVVirtualMachineBus
Source: SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe, 00000000.00000002.2121889990.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MSFT_NetEventVmNetworkAdapter
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_PerfRawData_Counters_HyperVVirtualMachineBusProviderPipes
Source: AppHostRegistrationVerifier.exe, 0000000C.00000003.2389485528.000001D26BF08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_PerfFormattedData_Counters_HyperVVirtualMachineBusPipes
Source: C:\Windows\System32\sihost.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0058B74D Start: 0058B75A End: 0058B763 0_2_0058B74D
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_0058C008 rdtsc 0_2_0058C008
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26BF29E68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_000001D26BF29E68
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D444BE LoadLibraryA,GetProcAddress, 2_2_00D444BE
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26BF19228 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_000001D26BF19228
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Code function: 12_2_000001D26BF29E68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_000001D26BF29E68

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Memory allocated: C:\Windows\System32\sihost.exe base: D00000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Memory allocated: C:\Windows\System32\sihost.exe base: D10000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Memory allocated: C:\Windows\System32\sihost.exe base: 3BD00000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory allocated: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26B9A0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory allocated: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26B9B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory allocated: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26BEC0000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory allocated: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 680000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory allocated: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 830000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory allocated: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 920000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory allocated: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26BF00000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory allocated: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 4950000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory allocated: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 4840000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Memory allocated: C:\Windows\System32\sihost.exe base: 1D63DC30000 protect: page read and write Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Memory allocated: C:\Windows\System32\sihost.exe base: 1D63EE60000 protect: page read and write Jump to behavior
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Memory protected: C:\Windows\System32\sihost.exe base: 1D63EE60000 protect: page execute read Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Thread created: C:\Windows\System32\sihost.exe EIP: D00000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Thread created: C:\Windows\System32\AppHostRegistrationVerifier.exe EIP: 6B9A0000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Thread created: C:\Windows\SysWOW64\CertEnrollCtrl.exe EIP: 680000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Thread created: C:\Windows\System32\AppHostRegistrationVerifier.exe EIP: 6B9A0000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Thread created: C:\Windows\SysWOW64\CertEnrollCtrl.exe EIP: 680000 Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Thread created: unknown EIP: 3EE60000 Jump to behavior
Hijacks the control flow in another process
Source: C:\Windows\System32\sihost.exe Memory written: PID: 5804 base: 1D26B9A0000 value: E9 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Memory written: C:\Windows\System32\sihost.exe base: D10000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26B9B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 830000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26BF00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 4950000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Memory written: C:\Windows\System32\sihost.exe base: 1D63EE61000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Memory written: C:\Windows\System32\sihost.exe base: D00000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Memory written: C:\Windows\System32\sihost.exe base: D01000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Memory written: C:\Windows\System32\sihost.exe base: D10000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Memory written: C:\Windows\System32\sihost.exe base: DBE000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Memory written: C:\Windows\System32\sihost.exe base: E40000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Memory written: C:\Windows\System32\sihost.exe base: D02000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Memory written: C:\Windows\System32\sihost.exe base: 3BD00000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 7FF6BC4D0A20 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26B9A0000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26B9A1000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26B9B0000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26BB27000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26BC9B000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26BC9C000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26BEC0000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: B49890 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 680000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 681000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 830000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 831000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 886000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 897000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 89A000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 89B000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 920000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26BF00000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26C028000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26C127000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26C128000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\System32\AppHostRegistrationVerifier.exe base: 1D26BEC0000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 4950000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 4951000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 49F1000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 4A19000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 4AC6000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 4B1A000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 4B31000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 4B3B000 Jump to behavior
Source: C:\Windows\System32\sihost.exe Memory written: C:\Windows\SysWOW64\CertEnrollCtrl.exe base: 4840000 Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Memory written: C:\Windows\System32\sihost.exe base: 1D63EE60000 Jump to behavior
Source: C:\Windows\System32\AppHostRegistrationVerifier.exe Memory written: C:\Windows\System32\sihost.exe base: 1D63EE61000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\sihost.exe Process created: C:\Windows\System32\AppHostRegistrationVerifier.exe "C:\Windows\system32\AppHostRegistrationVerifier.exe" Jump to behavior
Source: C:\Windows\System32\sihost.exe Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe" Jump to behavior
Source: C:\Windows\System32\sihost.exe Process created: C:\Windows\SysWOW64\CertEnrollCtrl.exe "C:\Windows\SysWOW64\CertEnrollCtrl.exe" Jump to behavior
Source: sihost.exe, 00000002.00000000.2096550904.000001D63C371000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000002.00000002.4565806161.000001D63C371000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: IProgram Manager
Source: sihost.exe, 00000002.00000000.2096550904.000001D63C371000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000002.00000002.4565806161.000001D63C371000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: sihost.exe, 00000002.00000000.2096550904.000001D63C371000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000002.00000002.4565806161.000001D63C371000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: sihost.exe, 00000002.00000000.2096550904.000001D63C371000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000002.00000002.4565806161.000001D63C371000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe Code function: 0_2_004E708A cpuid 0_2_004E708A
Source: C:\Windows\SysWOW64\CertEnrollCtrl.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D17070 socket,bind, 2_2_00D17070
Source: C:\Windows\System32\sihost.exe Code function: 2_2_00D13D50 bind, 2_2_00D13D50
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428478 Sample: SecuriteInfo.com.Trojan.Kil... Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 37 site01.skfcafob.com 2->37 39 gfak.oss-cn-hongkong.aliyuncs.com 2->39 41 cq-aliyun.oss-cn-hongkong.aliyuncs.com 2->41 57 Antivirus / Scanner detection for submitted sample 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Machine Learning detection for sample 2->61 63 2 other signatures 2->63 8 SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe 2->8         started        signatures3 process4 signatures5 65 Self deletion via cmd or bat file 8->65 67 Writes to foreign memory regions 8->67 69 Allocates memory in foreign processes 8->69 71 3 other signatures 8->71 11 sihost.exe 8->11 injected 15 cmd.exe 1 8->15         started        process6 dnsIp7 43 8.212.47.137, 49710, 49711, 49712 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 11->43 45 47.57.240.88, 49713, 49717, 49737 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 11->45 47 2 other IPs or domains 11->47 73 Hijacks the control flow in another process 11->73 75 Writes to foreign memory regions 11->75 77 Allocates memory in foreign processes 11->77 79 2 other signatures 11->79 17 AppHostRegistrationVerifier.exe 1 11->17         started        21 CertEnrollCtrl.exe 12 11->21         started        23 autofmt.exe 11->23         started        25 conhost.exe 15->25         started        signatures8 process9 dnsIp10 27 cq-aliyun.oss-cn-hongkong.aliyuncs.com 47.56.33.29, 49740, 49751, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 17->27 29 47.108.224.157, 28012 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 17->29 49 Changes memory attributes in foreign processes to executable or writable 17->49 51 Writes to foreign memory regions 17->51 53 Allocates memory in foreign processes 17->53 55 2 other signatures 17->55 31 site01.skfcafob.com 23.248.236.58, 443, 49734, 49736 XIAOZHIYUN1-AS-APICIDCNETWORKUS United States 21->31 33 gfak.oss-cn-hongkong.aliyuncs.com 47.79.64.164, 49733, 80 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 21->33 35 3 other IPs or domains 21->35 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
47.243.40.96
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false
8.212.54.142
 unknown Singapore
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false
47.57.238.48
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false
47.79.64.164
 gfak.oss-cn-hongkong.aliyuncs.com United States
9500 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ false
47.56.33.29
 cq-aliyun.oss-cn-hongkong.aliyuncs.com United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false
47.57.240.88
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false
8.212.47.137
 unknown Singapore
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true
47.108.224.157
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
47.243.79.202
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false
23.248.236.58
 site01.skfcafob.com United States
136800 XIAOZHIYUN1-AS-APICIDCNETWORKUS false

Private

IP
192.168.2.6

Contacted Domains

Name IP Active
gfak.oss-cn-hongkong.aliyuncs.com 47.79.64.164 true
cq-aliyun.oss-cn-hongkong.aliyuncs.com 47.56.33.29 true
site01.skfcafob.com 23.248.236.58 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://cq-aliyun.oss-cn-hongkong.aliyuncs.com/64/pk20.txt false
    		high
    http://8.212.47.137:8379/ true
      		unknown
      http://cq-aliyun.oss-cn-hongkong.aliyuncs.com/32/pk20.txt false
        		high
        http://gfak.oss-cn-hongkong.aliyuncs.com/cccccc.txt false
          		high
          http://47.243.40.96/c false
            		unknown
            https://site01.skfcafob.com/index/download/notice false
              		unknown
              https://site01.skfcafob.com/index/download/task false
                		unknown