File name:

Zagreus Builder.exe

Full analysis: https://app.any.run/tasks/082fcedb-a4c8-44af-9fa2-cd4077daa7c0
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 00:17:17
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
stealer
neshta
confuser
telegram
ims-api
generic
discordgrabber
autorun-download
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

88CD6943FC236ACFD406B339FFACBE46

SHA1:

0F736349C4FD9189F9235AA38B064838FF283636

SHA256:

5E0F46628ECEC878ED244BCCEAA2981B947DB254CF34DFC0B7F4A8D5C211A842

SSDEEP:

49152:oUpLxivo6RKPQS6r7vwNYR8nU/NX+dwZPVqXPbVwuDk/kTsxPSc1lLr2f29UNlkL:6rRyQJnoNYR8eNuWPIPSuDNTZ2N8GP20

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • ZagreuS Builder.exe (PID: 6044)
      • Zagreus Builder.exe (PID: 9012)
      • ZagreuS Builder.exe (PID: 9056)
      • ZagreuS Builder.exe (PID: 2088)
      • ZagreuS Builder.exe (PID: 7208)
      • ZagreuS Builder.exe (PID: 7236)
      • ZagreuS Builder.exe (PID: 7184)
      • ZagreuS Builder.exe (PID: 8360)
      • ZagreuS Builder.exe (PID: 8912)
      • ZagreuS Builder.exe (PID: 6620)
      • ZagreuS Builder.exe (PID: 8268)
      • ZagreuS Builder.exe (PID: 7984)
      • ZagreuS Builder.exe (PID: 7968)
      • ZagreuS Builder.exe (PID: 7868)
      • ZagreuS Builder.exe (PID: 9116)
      • ZagreuS Builder.exe (PID: 6040)
      • ZagreuS Builder.exe (PID: 5072)
      • ZagreuS Builder.exe (PID: 6136)
      • ZagreuS Builder.exe (PID: 4376)
      • ZagreuS Builder.exe (PID: 8152)
      • ZagreuS Builder.exe (PID: 5280)

    • Actions looks like stealing of personal data

      • Cicada.exe (PID: 4776)
      • ZagreuS Builder.exe (PID: 6044)
      • HTTPDebuggerSvc.exe (PID: 5512)
      • certutil.exe (PID: 7588)
      • Cicada.exe (PID: 9180)
      • Cicada.exe (PID: 904)
      • Cicada.exe (PID: 9016)
      • Cicada.exe (PID: 8428)

    • DISCORDGRABBER has been detected (YARA)

      • Cicada.exe (PID: 4776)

    • Steals credentials from Web Browsers

      • Cicada.exe (PID: 4776)
      • Cicada.exe (PID: 9180)
      • Cicada.exe (PID: 8428)

    • Executing a file with an untrusted certificate

      • FileCoAuth.exe (PID: 5400)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • Zagreus Builder.exe (PID: 680)
      • Zagreus Builder.exe (PID: 7888)
      • Zagreus Builder.exe (PID: 7332)
      • Zagreus Builder.exe (PID: 5968)
      • Zagreus Builder.exe (PID: 7252)
      • Zagreus Builder.exe (PID: 7172)
      • Zagreus Builder.exe (PID: 3156)
      • Zagreus Builder.exe (PID: 2384)
      • Zagreus Builder.exe (PID: 8040)
      • Zagreus Builder.exe (PID: 8476)
      • Zagreus Builder.exe (PID: 4376)
      • Zagreus Builder.exe (PID: 7660)
      • Zagreus Builder.exe (PID: 5508)
      • Zagreus Builder.exe (PID: 5796)
      • Zagreus Builder.exe (PID: 9008)
      • Zagreus Builder.exe (PID: 7840)
      • Zagreus Builder.exe (PID: 8948)
      • Zagreus Builder.exe (PID: 4724)
      • Zagreus Builder.exe (PID: 5328)
      • Zagreus Builder.exe (PID: 7760)
      • Zagreus Builder.exe (PID: 9156)
      • Zagreus Builder.exe (PID: 8420)
      • Zagreus Builder.exe (PID: 8560)
      • Zagreus Builder.exe (PID: 7400)
      • Zagreus Builder.exe (PID: 7840)
      • Zagreus Builder.exe (PID: 7408)
      • Zagreus Builder.exe (PID: 2776)
      • Zagreus Builder.exe (PID: 2104)
      • Zagreus Builder.exe (PID: 6644)
      • Zagreus Builder.exe (PID: 9028)
      • Zagreus Builder.exe (PID: 8364)
      • Zagreus Builder.exe (PID: 8320)
      • Zagreus Builder.exe (PID: 6872)
      • Zagreus Builder.exe (PID: 4728)
      • Zagreus Builder.exe (PID: 7580)
      • Zagreus Builder.exe (PID: 5720)
      • Zagreus Builder.exe (PID: 8604)
      • Zagreus Builder.exe (PID: 9008)
      • Zagreus Builder.exe (PID: 2656)
      • Zagreus Builder.exe (PID: 5112)
      • Zagreus Builder.exe (PID: 8500)
      • Zagreus Builder.exe (PID: 4728)
      • Zagreus Builder.exe (PID: 8948)
      • Zagreus Builder.exe (PID: 5328)
      • Zagreus Builder.exe (PID: 300)
      • Zagreus Builder.exe (PID: 7896)

    • Executable content was dropped or overwritten

      • Zagreus Builder.exe (PID: 680)
      • ZagreuS Builder.exe (PID: 6044)
      • HTTPDebuggerSvc.exe (PID: 5512)
      • Zagreus Builder.exe (PID: 9012)
      • ZagreuS Builder.exe (PID: 8256)

    • Reads security settings of Internet Explorer

      • Zagreus Builder.exe (PID: 680)
      • ZagreuS Builder.exe (PID: 6044)
      • msiexec.exe (PID: 8796)
      • HTTPDebuggerUI.exe (PID: 8536)
      • Zagreus Builder.exe (PID: 9012)
      • Zagreus Builder.exe (PID: 7888)
      • ZagreuS Builder.exe (PID: 9056)
      • Zagreus Builder.exe (PID: 5968)
      • ZagreuS Builder.exe (PID: 2088)
      • ZagreuS Builder.exe (PID: 7208)
      • Zagreus Builder.exe (PID: 7252)
      • Zagreus Builder.exe (PID: 7332)
      • ZagreuS Builder.exe (PID: 7236)
      • Zagreus Builder.exe (PID: 7172)
      • ZagreuS Builder.exe (PID: 8360)
      • ZagreuS Builder.exe (PID: 7184)
      • Zagreus Builder.exe (PID: 3156)
      • Zagreus Builder.exe (PID: 2384)
      • ZagreuS Builder.exe (PID: 6620)
      • Zagreus Builder.exe (PID: 8040)
      • ZagreuS Builder.exe (PID: 8912)
      • Zagreus Builder.exe (PID: 8476)
      • ZagreuS Builder.exe (PID: 8268)
      • Zagreus Builder.exe (PID: 7660)
      • ZagreuS Builder.exe (PID: 7984)
      • Zagreus Builder.exe (PID: 4376)
      • Zagreus Builder.exe (PID: 5508)
      • ZagreuS Builder.exe (PID: 7968)
      • Zagreus Builder.exe (PID: 5796)
      • ZagreuS Builder.exe (PID: 7868)
      • ZagreuS Builder.exe (PID: 9116)
      • Zagreus Builder.exe (PID: 9008)
      • ZagreuS Builder.exe (PID: 6040)
      • Zagreus Builder.exe (PID: 7840)
      • Zagreus Builder.exe (PID: 4724)
      • ZagreuS Builder.exe (PID: 5072)
      • ZagreuS Builder.exe (PID: 6136)
      • Zagreus Builder.exe (PID: 8948)
      • ZagreuS Builder.exe (PID: 4376)
      • Zagreus Builder.exe (PID: 5328)
      • ZagreuS Builder.exe (PID: 8152)
      • Zagreus Builder.exe (PID: 7760)
      • Zagreus Builder.exe (PID: 9156)
      • ZagreuS Builder.exe (PID: 5280)
      • ZagreuS Builder.exe (PID: 7396)
      • Zagreus Builder.exe (PID: 8420)
      • Zagreus Builder.exe (PID: 8560)
      • ZagreuS Builder.exe (PID: 7528)
      • Zagreus Builder.exe (PID: 7400)
      • ZagreuS Builder.exe (PID: 2692)
      • Zagreus Builder.exe (PID: 7840)
      • ZagreuS Builder.exe (PID: 5428)
      • Zagreus Builder.exe (PID: 7408)
      • ZagreuS Builder.exe (PID: 8160)
      • ZagreuS Builder.exe (PID: 4376)
      • Zagreus Builder.exe (PID: 2776)
      • ZagreuS Builder.exe (PID: 9136)
      • Zagreus Builder.exe (PID: 2104)
      • Zagreus Builder.exe (PID: 6644)
      • ZagreuS Builder.exe (PID: 9072)
      • Zagreus Builder.exe (PID: 9028)
      • ZagreuS Builder.exe (PID: 8884)
      • Zagreus Builder.exe (PID: 8320)
      • ZagreuS Builder.exe (PID: 6372)
      • Zagreus Builder.exe (PID: 8364)
      • ZagreuS Builder.exe (PID: 2384)
      • Zagreus Builder.exe (PID: 6872)
      • Zagreus Builder.exe (PID: 4728)
      • ZagreuS Builder.exe (PID: 6660)
      • ZagreuS Builder.exe (PID: 6904)
      • Zagreus Builder.exe (PID: 7580)
      • ZagreuS Builder.exe (PID: 8664)
      • Zagreus Builder.exe (PID: 5720)
      • ZagreuS Builder.exe (PID: 4376)
      • Zagreus Builder.exe (PID: 8604)
      • Zagreus Builder.exe (PID: 9008)
      • ZagreuS Builder.exe (PID: 7228)
      • Zagreus Builder.exe (PID: 2656)
      • ZagreuS Builder.exe (PID: 9184)
      • ZagreuS Builder.exe (PID: 8884)
      • Zagreus Builder.exe (PID: 5112)
      • ZagreuS Builder.exe (PID: 6388)
      • Zagreus Builder.exe (PID: 8500)
      • ZagreuS Builder.exe (PID: 4528)
      • Zagreus Builder.exe (PID: 4728)
      • ZagreuS Builder.exe (PID: 8824)
      • Zagreus Builder.exe (PID: 8948)
      • Zagreus Builder.exe (PID: 5328)
      • ZagreuS Builder.exe (PID: 7648)
      • ZagreuS Builder.exe (PID: 6572)
      • ZagreuS Builder.exe (PID: 8744)
      • Zagreus Builder.exe (PID: 7896)
      • ZagreuS Builder.exe (PID: 8256)
      • Zagreus Builder.exe (PID: 300)
      • ZagreuS Builder.exe (PID: 7316)

    • Mutex name with non-standard characters

      • ZagreuS Builder.exe (PID: 6044)
      • Zagreus Builder.exe (PID: 9012)
      • ZagreuS Builder.exe (PID: 9056)
      • ZagreuS Builder.exe (PID: 2088)
      • ZagreuS Builder.exe (PID: 7208)
      • ZagreuS Builder.exe (PID: 7236)
      • ZagreuS Builder.exe (PID: 7184)
      • ZagreuS Builder.exe (PID: 6620)
      • ZagreuS Builder.exe (PID: 8360)
      • ZagreuS Builder.exe (PID: 8912)
      • ZagreuS Builder.exe (PID: 8268)
      • ZagreuS Builder.exe (PID: 7984)
      • ZagreuS Builder.exe (PID: 7968)
      • ZagreuS Builder.exe (PID: 7868)
      • ZagreuS Builder.exe (PID: 9116)
      • ZagreuS Builder.exe (PID: 6040)
      • ZagreuS Builder.exe (PID: 5072)
      • ZagreuS Builder.exe (PID: 6136)
      • ZagreuS Builder.exe (PID: 4376)
      • ZagreuS Builder.exe (PID: 8152)
      • ZagreuS Builder.exe (PID: 5280)

    • Write to the desktop.ini file (may be used to cloak folders)

      • Cicada.exe (PID: 4776)
      • Cicada.exe (PID: 9180)
      • Cicada.exe (PID: 904)
      • Cicada.exe (PID: 9016)
      • Cicada.exe (PID: 8428)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • Cicada.exe (PID: 4776)
      • Cicada.exe (PID: 9180)
      • Cicada.exe (PID: 904)
      • Cicada.exe (PID: 9016)
      • Cicada.exe (PID: 8428)

    • There is functionality for taking screenshot (YARA)

      • ZagreuS Builder.exe (PID: 6044)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • Cicada.exe (PID: 4776)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Cicada.exe (PID: 4776)
      • Cicada.exe (PID: 9180)
      • Cicada.exe (PID: 904)
      • Cicada.exe (PID: 9016)
      • Cicada.exe (PID: 8428)

    • Starts a Microsoft application from unusual location

      • FileCoAuth.exe (PID: 5400)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 7740)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 7740)
      • HTTPDebuggerSvc.exe (PID: 5512)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 7740)

    • Creates/Modifies COM task schedule object

      • msiexec.exe (PID: 1280)

    • Executes as Windows Service

      • HTTPDebuggerSvc.exe (PID: 5512)
      • VSSVC.exe (PID: 8220)

    • Creates files in the driver directory

      • HTTPDebuggerSvc.exe (PID: 5512)

    • Reads Microsoft Outlook installation path

      • HTTPDebuggerUI.exe (PID: 8536)

    • Reads Internet Explorer settings

      • HTTPDebuggerUI.exe (PID: 8536)

    • Adds/modifies Windows certificates

      • HTTPDebuggerSvc.exe (PID: 5512)

    • Searches for installed software

      • Cicada.exe (PID: 9180)
      • Cicada.exe (PID: 904)
      • Cicada.exe (PID: 9016)
      • Cicada.exe (PID: 8428)

  • INFO

    • Reads the machine GUID from the registry

      • Zagreus Builder.exe (PID: 680)
      • Cicada.exe (PID: 4776)
      • FileCoAuth.exe (PID: 5400)
      • msiexec.exe (PID: 7740)
      • HTTPDebuggerSvc.exe (PID: 5512)
      • HTTPDebuggerSvc.exe (PID: 8076)
      • HTTPDebuggerUI.exe (PID: 8536)
      • Zagreus Builder.exe (PID: 7888)
      • Cicada.exe (PID: 9180)
      • Cicada.exe (PID: 7400)
      • Zagreus Builder.exe (PID: 7332)
      • Zagreus Builder.exe (PID: 5968)
      • Cicada.exe (PID: 7376)
      • Zagreus Builder.exe (PID: 7252)
      • Cicada.exe (PID: 7480)
      • Zagreus Builder.exe (PID: 7172)
      • Cicada.exe (PID: 3968)
      • Zagreus Builder.exe (PID: 3156)
      • Cicada.exe (PID: 4268)
      • Zagreus Builder.exe (PID: 2384)
      • Zagreus Builder.exe (PID: 8040)
      • Cicada.exe (PID: 8068)
      • Zagreus Builder.exe (PID: 8476)
      • Cicada.exe (PID: 7920)
      • Zagreus Builder.exe (PID: 7660)
      • Cicada.exe (PID: 8916)
      • Zagreus Builder.exe (PID: 4376)
      • Cicada.exe (PID: 8288)
      • Cicada.exe (PID: 2780)
      • Zagreus Builder.exe (PID: 5508)
      • Cicada.exe (PID: 7780)
      • Zagreus Builder.exe (PID: 5796)
      • Zagreus Builder.exe (PID: 9008)
      • Cicada.exe (PID: 9028)
      • Cicada.exe (PID: 904)
      • Cicada.exe (PID: 7824)
      • Zagreus Builder.exe (PID: 7840)
      • Zagreus Builder.exe (PID: 4724)
      • Cicada.exe (PID: 8896)
      • Zagreus Builder.exe (PID: 8948)
      • Zagreus Builder.exe (PID: 5328)
      • Cicada.exe (PID: 7644)
      • Cicada.exe (PID: 736)
      • Zagreus Builder.exe (PID: 7760)
      • Cicada.exe (PID: 5936)
      • Zagreus Builder.exe (PID: 9156)
      • Zagreus Builder.exe (PID: 8420)
      • Cicada.exe (PID: 7336)
      • Zagreus Builder.exe (PID: 8560)
      • Cicada.exe (PID: 8456)
      • Cicada.exe (PID: 5384)
      • Zagreus Builder.exe (PID: 7400)
      • Cicada.exe (PID: 8416)
      • Zagreus Builder.exe (PID: 7840)
      • Cicada.exe (PID: 8864)
      • Cicada.exe (PID: 8204)
      • Zagreus Builder.exe (PID: 7408)
      • Cicada.exe (PID: 7968)
      • Zagreus Builder.exe (PID: 6644)
      • Zagreus Builder.exe (PID: 2776)
      • Cicada.exe (PID: 9208)
      • Zagreus Builder.exe (PID: 2104)
      • Cicada.exe (PID: 9016)
      • Cicada.exe (PID: 540)
      • Zagreus Builder.exe (PID: 8364)
      • Zagreus Builder.exe (PID: 9028)
      • Cicada.exe (PID: 8660)
      • Zagreus Builder.exe (PID: 8320)
      • Cicada.exe (PID: 6620)
      • Zagreus Builder.exe (PID: 6872)
      • Cicada.exe (PID: 8880)
      • Zagreus Builder.exe (PID: 4728)
      • Cicada.exe (PID: 1452)
      • Zagreus Builder.exe (PID: 7580)
      • Cicada.exe (PID: 5084)
      • Zagreus Builder.exe (PID: 5720)
      • Cicada.exe (PID: 7644)
      • Zagreus Builder.exe (PID: 8604)
      • Cicada.exe (PID: 3620)
      • Zagreus Builder.exe (PID: 9008)
      • Cicada.exe (PID: 300)
      • Zagreus Builder.exe (PID: 2656)
      • Zagreus Builder.exe (PID: 5112)
      • Cicada.exe (PID: 9120)
      • Zagreus Builder.exe (PID: 8500)
      • Cicada.exe (PID: 8428)
      • Cicada.exe (PID: 8288)
      • Zagreus Builder.exe (PID: 4728)
      • Cicada.exe (PID: 7144)
      • Zagreus Builder.exe (PID: 8948)
      • Zagreus Builder.exe (PID: 5328)
      • Cicada.exe (PID: 5720)
      • Zagreus Builder.exe (PID: 7896)
      • Cicada.exe (PID: 9008)
      • Zagreus Builder.exe (PID: 300)
      • Cicada.exe (PID: 9144)
      • Cicada.exe (PID: 840)
      • ZagreuS Builder.exe (PID: 8416)

    • Process checks computer location settings

      • Zagreus Builder.exe (PID: 680)
      • ZagreuS Builder.exe (PID: 6044)
      • msiexec.exe (PID: 8796)
      • Zagreus Builder.exe (PID: 9012)
      • Zagreus Builder.exe (PID: 7888)
      • ZagreuS Builder.exe (PID: 9056)
      • Zagreus Builder.exe (PID: 5968)
      • ZagreuS Builder.exe (PID: 2088)
      • Zagreus Builder.exe (PID: 7332)
      • ZagreuS Builder.exe (PID: 7208)
      • Zagreus Builder.exe (PID: 7252)
      • Zagreus Builder.exe (PID: 7172)
      • ZagreuS Builder.exe (PID: 7236)
      • Zagreus Builder.exe (PID: 3156)
      • ZagreuS Builder.exe (PID: 8360)
      • ZagreuS Builder.exe (PID: 7184)
      • Zagreus Builder.exe (PID: 2384)
      • ZagreuS Builder.exe (PID: 6620)
      • Zagreus Builder.exe (PID: 8040)
      • ZagreuS Builder.exe (PID: 8912)
      • Zagreus Builder.exe (PID: 8476)
      • ZagreuS Builder.exe (PID: 8268)
      • Zagreus Builder.exe (PID: 7660)
      • ZagreuS Builder.exe (PID: 7984)
      • Zagreus Builder.exe (PID: 4376)
      • ZagreuS Builder.exe (PID: 7968)
      • Zagreus Builder.exe (PID: 5508)
      • Zagreus Builder.exe (PID: 5796)
      • ZagreuS Builder.exe (PID: 7868)
      • ZagreuS Builder.exe (PID: 9116)
      • ZagreuS Builder.exe (PID: 6040)
      • Zagreus Builder.exe (PID: 9008)
      • Zagreus Builder.exe (PID: 7840)
      • ZagreuS Builder.exe (PID: 5072)
      • ZagreuS Builder.exe (PID: 6136)
      • Zagreus Builder.exe (PID: 4724)
      • ZagreuS Builder.exe (PID: 4376)
      • Zagreus Builder.exe (PID: 8948)
      • ZagreuS Builder.exe (PID: 8152)
      • Zagreus Builder.exe (PID: 7760)
      • Zagreus Builder.exe (PID: 5328)
      • Zagreus Builder.exe (PID: 9156)
      • ZagreuS Builder.exe (PID: 5280)
      • Zagreus Builder.exe (PID: 8420)
      • ZagreuS Builder.exe (PID: 7396)
      • Zagreus Builder.exe (PID: 8560)
      • ZagreuS Builder.exe (PID: 7316)
      • ZagreuS Builder.exe (PID: 7528)
      • Zagreus Builder.exe (PID: 7400)
      • ZagreuS Builder.exe (PID: 2692)
      • Zagreus Builder.exe (PID: 7840)
      • ZagreuS Builder.exe (PID: 5428)
      • ZagreuS Builder.exe (PID: 8160)
      • Zagreus Builder.exe (PID: 7408)
      • ZagreuS Builder.exe (PID: 4376)
      • Zagreus Builder.exe (PID: 6644)
      • Zagreus Builder.exe (PID: 2776)
      • ZagreuS Builder.exe (PID: 9136)
      • ZagreuS Builder.exe (PID: 9072)
      • Zagreus Builder.exe (PID: 2104)
      • Zagreus Builder.exe (PID: 9028)
      • ZagreuS Builder.exe (PID: 8884)
      • Zagreus Builder.exe (PID: 8364)
      • ZagreuS Builder.exe (PID: 6372)
      • ZagreuS Builder.exe (PID: 2384)
      • Zagreus Builder.exe (PID: 6872)
      • Zagreus Builder.exe (PID: 8320)
      • ZagreuS Builder.exe (PID: 6904)
      • Zagreus Builder.exe (PID: 4728)
      • ZagreuS Builder.exe (PID: 6660)
      • Zagreus Builder.exe (PID: 7580)
      • ZagreuS Builder.exe (PID: 8664)
      • ZagreuS Builder.exe (PID: 4376)
      • Zagreus Builder.exe (PID: 5720)
      • ZagreuS Builder.exe (PID: 7228)
      • Zagreus Builder.exe (PID: 9008)
      • Zagreus Builder.exe (PID: 8604)
      • Zagreus Builder.exe (PID: 2656)
      • ZagreuS Builder.exe (PID: 9184)
      • ZagreuS Builder.exe (PID: 8884)
      • Zagreus Builder.exe (PID: 5112)
      • ZagreuS Builder.exe (PID: 6388)
      • ZagreuS Builder.exe (PID: 4528)
      • Zagreus Builder.exe (PID: 4728)
      • Zagreus Builder.exe (PID: 8500)
      • ZagreuS Builder.exe (PID: 8824)
      • Zagreus Builder.exe (PID: 8948)
      • Zagreus Builder.exe (PID: 5328)
      • ZagreuS Builder.exe (PID: 7648)
      • ZagreuS Builder.exe (PID: 6572)
      • Zagreus Builder.exe (PID: 7896)
      • ZagreuS Builder.exe (PID: 8744)
      • ZagreuS Builder.exe (PID: 8256)
      • Zagreus Builder.exe (PID: 300)

    • Checks supported languages

      • Zagreus Builder.exe (PID: 680)
      • ZagreuS Builder.exe (PID: 6044)
      • Cicada.exe (PID: 4776)
      • ZagreuS Builder.exe (PID: 6436)
      • FileCoAuth.exe (PID: 5400)
      • msiexec.exe (PID: 8796)
      • msiexec.exe (PID: 7740)
      • msiexec.exe (PID: 5972)
      • HTTPDebuggerSvc.exe (PID: 5512)
      • HTTPDebuggerSvc.exe (PID: 8076)
      • HTTPDebuggerUI.exe (PID: 8536)
      • certutil.exe (PID: 7588)
      • HTTPDebuggerUI.exe (PID: 7780)
      • Zagreus Builder.exe (PID: 7888)
      • Zagreus Builder.exe (PID: 9012)
      • ZagreuS Builder.exe (PID: 9056)
      • Zagreus Builder.exe (PID: 5968)
      • Cicada.exe (PID: 9180)
      • ZagreuS Builder.exe (PID: 2088)
      • Cicada.exe (PID: 7400)
      • Zagreus Builder.exe (PID: 7332)
      • Cicada.exe (PID: 7376)
      • Zagreus Builder.exe (PID: 7252)
      • Cicada.exe (PID: 7480)
      • ZagreuS Builder.exe (PID: 7208)
      • ZagreuS Builder.exe (PID: 7236)
      • Cicada.exe (PID: 3968)
      • Zagreus Builder.exe (PID: 7172)
      • ZagreuS Builder.exe (PID: 7184)
      • Cicada.exe (PID: 4268)
      • Zagreus Builder.exe (PID: 3156)
      • ZagreuS Builder.exe (PID: 8360)
      • Zagreus Builder.exe (PID: 2384)
      • ZagreuS Builder.exe (PID: 6620)
      • Zagreus Builder.exe (PID: 8040)
      • Cicada.exe (PID: 8916)
      • Zagreus Builder.exe (PID: 8476)
      • Cicada.exe (PID: 8068)
      • ZagreuS Builder.exe (PID: 8912)
      • Cicada.exe (PID: 7920)
      • ZagreuS Builder.exe (PID: 8268)
      • Zagreus Builder.exe (PID: 7660)
      • Cicada.exe (PID: 8288)
      • Zagreus Builder.exe (PID: 4376)
      • ZagreuS Builder.exe (PID: 7968)
      • ZagreuS Builder.exe (PID: 7984)
      • Zagreus Builder.exe (PID: 5508)
      • Cicada.exe (PID: 7780)
      • ZagreuS Builder.exe (PID: 7868)
      • Cicada.exe (PID: 2780)
      • Zagreus Builder.exe (PID: 5796)
      • Cicada.exe (PID: 9028)
      • Zagreus Builder.exe (PID: 9008)
      • Cicada.exe (PID: 7824)
      • ZagreuS Builder.exe (PID: 6040)
      • ZagreuS Builder.exe (PID: 9116)
      • ZagreuS Builder.exe (PID: 5072)
      • Zagreus Builder.exe (PID: 7840)
      • Cicada.exe (PID: 904)
      • Zagreus Builder.exe (PID: 4724)
      • ZagreuS Builder.exe (PID: 6136)
      • Cicada.exe (PID: 8896)
      • ZagreuS Builder.exe (PID: 4376)
      • Zagreus Builder.exe (PID: 5328)
      • Cicada.exe (PID: 7644)
      • Zagreus Builder.exe (PID: 8948)
      • ZagreuS Builder.exe (PID: 5280)
      • Zagreus Builder.exe (PID: 7760)
      • ZagreuS Builder.exe (PID: 8152)
      • Cicada.exe (PID: 736)
      • Cicada.exe (PID: 5936)
      • Zagreus Builder.exe (PID: 9156)
      • Zagreus Builder.exe (PID: 8420)
      • Cicada.exe (PID: 8456)
      • Cicada.exe (PID: 7336)
      • ZagreuS Builder.exe (PID: 7396)
      • ZagreuS Builder.exe (PID: 7316)
      • ZagreuS Builder.exe (PID: 7528)
      • Zagreus Builder.exe (PID: 8560)
      • ZagreuS Builder.exe (PID: 2692)
      • Cicada.exe (PID: 8416)
      • Zagreus Builder.exe (PID: 7840)
      • Zagreus Builder.exe (PID: 7400)
      • Cicada.exe (PID: 5384)
      • ZagreuS Builder.exe (PID: 5428)
      • Cicada.exe (PID: 8204)
      • ZagreuS Builder.exe (PID: 8160)
      • Zagreus Builder.exe (PID: 2776)
      • Cicada.exe (PID: 8864)
      • Zagreus Builder.exe (PID: 7408)
      • Cicada.exe (PID: 7968)
      • Zagreus Builder.exe (PID: 6644)
      • ZagreuS Builder.exe (PID: 4376)
      • Cicada.exe (PID: 9208)
      • Zagreus Builder.exe (PID: 2104)
      • ZagreuS Builder.exe (PID: 9136)
      • Cicada.exe (PID: 9016)
      • Zagreus Builder.exe (PID: 9028)
      • ZagreuS Builder.exe (PID: 9072)
      • Cicada.exe (PID: 540)
      • ZagreuS Builder.exe (PID: 8884)
      • Zagreus Builder.exe (PID: 8364)
      • ZagreuS Builder.exe (PID: 6372)
      • Cicada.exe (PID: 8660)
      • Zagreus Builder.exe (PID: 8320)
      • Cicada.exe (PID: 6620)
      • Zagreus Builder.exe (PID: 6872)
      • ZagreuS Builder.exe (PID: 6904)
      • ZagreuS Builder.exe (PID: 2384)
      • Cicada.exe (PID: 8880)
      • ZagreuS Builder.exe (PID: 6660)
      • Cicada.exe (PID: 1452)
      • Zagreus Builder.exe (PID: 7580)
      • Zagreus Builder.exe (PID: 4728)
      • Cicada.exe (PID: 5084)
      • ZagreuS Builder.exe (PID: 8664)
      • Zagreus Builder.exe (PID: 5720)
      • Cicada.exe (PID: 7644)
      • Zagreus Builder.exe (PID: 8604)
      • ZagreuS Builder.exe (PID: 4376)
      • ZagreuS Builder.exe (PID: 7228)
      • Cicada.exe (PID: 3620)
      • Zagreus Builder.exe (PID: 9008)
      • Cicada.exe (PID: 300)
      • Cicada.exe (PID: 9120)
      • Zagreus Builder.exe (PID: 2656)
      • ZagreuS Builder.exe (PID: 9184)
      • ZagreuS Builder.exe (PID: 8884)
      • ZagreuS Builder.exe (PID: 6388)
      • Cicada.exe (PID: 8428)
      • Zagreus Builder.exe (PID: 8500)
      • Zagreus Builder.exe (PID: 5112)
      • ZagreuS Builder.exe (PID: 4528)
      • Zagreus Builder.exe (PID: 4728)
      • Cicada.exe (PID: 8288)
      • Cicada.exe (PID: 7144)
      • ZagreuS Builder.exe (PID: 8824)
      • Zagreus Builder.exe (PID: 8948)
      • Cicada.exe (PID: 5720)
      • ZagreuS Builder.exe (PID: 6572)
      • Zagreus Builder.exe (PID: 5328)
      • ZagreuS Builder.exe (PID: 7648)
      • Cicada.exe (PID: 9008)
      • ZagreuS Builder.exe (PID: 8744)
      • Cicada.exe (PID: 9144)
      • Zagreus Builder.exe (PID: 7896)
      • Zagreus Builder.exe (PID: 300)
      • ZagreuS Builder.exe (PID: 8256)
      • ZagreuS Builder.exe (PID: 8416)
      • Cicada.exe (PID: 840)

    • Reads the computer name

      • Zagreus Builder.exe (PID: 680)
      • ZagreuS Builder.exe (PID: 6044)
      • Cicada.exe (PID: 4776)
      • ZagreuS Builder.exe (PID: 6436)
      • msiexec.exe (PID: 7740)
      • FileCoAuth.exe (PID: 5400)
      • msiexec.exe (PID: 5972)
      • msiexec.exe (PID: 8796)
      • HTTPDebuggerSvc.exe (PID: 8076)
      • HTTPDebuggerUI.exe (PID: 8536)
      • HTTPDebuggerSvc.exe (PID: 5512)
      • certutil.exe (PID: 7588)
      • HTTPDebuggerUI.exe (PID: 7780)
      • Zagreus Builder.exe (PID: 9012)
      • Zagreus Builder.exe (PID: 7888)
      • ZagreuS Builder.exe (PID: 9056)
      • Cicada.exe (PID: 9180)
      • Zagreus Builder.exe (PID: 5968)
      • Cicada.exe (PID: 7400)
      • ZagreuS Builder.exe (PID: 2088)
      • Zagreus Builder.exe (PID: 7332)
      • Cicada.exe (PID: 7376)
      • ZagreuS Builder.exe (PID: 7208)
      • Zagreus Builder.exe (PID: 7252)
      • Zagreus Builder.exe (PID: 7172)
      • Cicada.exe (PID: 3968)
      • ZagreuS Builder.exe (PID: 7184)
      • Cicada.exe (PID: 7480)
      • ZagreuS Builder.exe (PID: 7236)
      • Zagreus Builder.exe (PID: 3156)
      • ZagreuS Builder.exe (PID: 8360)
      • Cicada.exe (PID: 4268)
      • Zagreus Builder.exe (PID: 2384)
      • Cicada.exe (PID: 8068)
      • ZagreuS Builder.exe (PID: 6620)
      • Cicada.exe (PID: 8916)
      • ZagreuS Builder.exe (PID: 8912)
      • Zagreus Builder.exe (PID: 8040)
      • Zagreus Builder.exe (PID: 8476)
      • Cicada.exe (PID: 7920)
      • ZagreuS Builder.exe (PID: 8268)
      • Zagreus Builder.exe (PID: 7660)
      • ZagreuS Builder.exe (PID: 7984)
      • Cicada.exe (PID: 8288)
      • Zagreus Builder.exe (PID: 4376)
      • Zagreus Builder.exe (PID: 5508)
      • Cicada.exe (PID: 7780)
      • Cicada.exe (PID: 2780)
      • ZagreuS Builder.exe (PID: 7968)
      • Zagreus Builder.exe (PID: 5796)
      • Cicada.exe (PID: 9028)
      • ZagreuS Builder.exe (PID: 9116)
      • ZagreuS Builder.exe (PID: 7868)
      • Zagreus Builder.exe (PID: 9008)
      • Cicada.exe (PID: 7824)
      • ZagreuS Builder.exe (PID: 6040)
      • ZagreuS Builder.exe (PID: 5072)
      • Cicada.exe (PID: 904)
      • Zagreus Builder.exe (PID: 7840)
      • Zagreus Builder.exe (PID: 4724)
      • Cicada.exe (PID: 8896)
      • Zagreus Builder.exe (PID: 8948)
      • ZagreuS Builder.exe (PID: 6136)
      • Cicada.exe (PID: 7644)
      • ZagreuS Builder.exe (PID: 4376)
      • Zagreus Builder.exe (PID: 5328)
      • ZagreuS Builder.exe (PID: 8152)
      • Zagreus Builder.exe (PID: 7760)
      • Cicada.exe (PID: 5936)
      • Cicada.exe (PID: 736)
      • ZagreuS Builder.exe (PID: 5280)
      • Zagreus Builder.exe (PID: 9156)
      • Zagreus Builder.exe (PID: 8420)
      • Cicada.exe (PID: 8456)
      • Cicada.exe (PID: 7336)
      • ZagreuS Builder.exe (PID: 7396)
      • Zagreus Builder.exe (PID: 8560)
      • Cicada.exe (PID: 5384)
      • ZagreuS Builder.exe (PID: 7316)
      • ZagreuS Builder.exe (PID: 7528)
      • Cicada.exe (PID: 8416)
      • ZagreuS Builder.exe (PID: 2692)
      • Zagreus Builder.exe (PID: 7400)
      • ZagreuS Builder.exe (PID: 5428)
      • Cicada.exe (PID: 8204)
      • Zagreus Builder.exe (PID: 7840)
      • ZagreuS Builder.exe (PID: 8160)
      • Cicada.exe (PID: 8864)
      • Zagreus Builder.exe (PID: 2776)
      • Zagreus Builder.exe (PID: 7408)
      • Cicada.exe (PID: 7968)
      • Zagreus Builder.exe (PID: 6644)
      • ZagreuS Builder.exe (PID: 4376)
      • Cicada.exe (PID: 9208)
      • ZagreuS Builder.exe (PID: 9136)
      • Zagreus Builder.exe (PID: 2104)
      • Zagreus Builder.exe (PID: 9028)
      • Cicada.exe (PID: 9016)
      • ZagreuS Builder.exe (PID: 9072)
      • Cicada.exe (PID: 540)
      • ZagreuS Builder.exe (PID: 8884)
      • Zagreus Builder.exe (PID: 8364)
      • Cicada.exe (PID: 8660)
      • ZagreuS Builder.exe (PID: 6372)
      • Zagreus Builder.exe (PID: 8320)
      • ZagreuS Builder.exe (PID: 2384)
      • Zagreus Builder.exe (PID: 6872)
      • Cicada.exe (PID: 8880)
      • ZagreuS Builder.exe (PID: 6904)
      • Cicada.exe (PID: 6620)
      • Zagreus Builder.exe (PID: 4728)
      • Cicada.exe (PID: 1452)
      • ZagreuS Builder.exe (PID: 6660)
      • Zagreus Builder.exe (PID: 7580)
      • Cicada.exe (PID: 5084)
      • ZagreuS Builder.exe (PID: 8664)
      • Zagreus Builder.exe (PID: 5720)
      • Cicada.exe (PID: 7644)
      • ZagreuS Builder.exe (PID: 4376)
      • Zagreus Builder.exe (PID: 8604)
      • Zagreus Builder.exe (PID: 9008)
      • Cicada.exe (PID: 300)
      • ZagreuS Builder.exe (PID: 8884)
      • ZagreuS Builder.exe (PID: 7228)
      • Cicada.exe (PID: 3620)
      • Cicada.exe (PID: 9120)
      • ZagreuS Builder.exe (PID: 9184)
      • Zagreus Builder.exe (PID: 2656)
      • ZagreuS Builder.exe (PID: 6388)
      • Zagreus Builder.exe (PID: 5112)
      • Cicada.exe (PID: 8428)
      • Zagreus Builder.exe (PID: 8500)
      • ZagreuS Builder.exe (PID: 4528)
      • Zagreus Builder.exe (PID: 4728)
      • Cicada.exe (PID: 7144)
      • Cicada.exe (PID: 8288)
      • Cicada.exe (PID: 5720)
      • Zagreus Builder.exe (PID: 8948)
      • ZagreuS Builder.exe (PID: 6572)
      • ZagreuS Builder.exe (PID: 8824)
      • Zagreus Builder.exe (PID: 5328)
      • ZagreuS Builder.exe (PID: 7648)
      • Cicada.exe (PID: 9144)
      • Zagreus Builder.exe (PID: 7896)
      • ZagreuS Builder.exe (PID: 8744)
      • Cicada.exe (PID: 9008)
      • Zagreus Builder.exe (PID: 300)
      • ZagreuS Builder.exe (PID: 8256)
      • ZagreuS Builder.exe (PID: 8416)
      • Cicada.exe (PID: 840)

    • Create files in a temporary directory

      • Zagreus Builder.exe (PID: 680)
      • ZagreuS Builder.exe (PID: 6044)
      • Cicada.exe (PID: 4776)
      • FileCoAuth.exe (PID: 5400)
      • Cicada.exe (PID: 9180)
      • Zagreus Builder.exe (PID: 7840)
      • Cicada.exe (PID: 904)
      • Zagreus Builder.exe (PID: 9156)
      • Zagreus Builder.exe (PID: 8420)
      • Zagreus Builder.exe (PID: 8560)
      • Zagreus Builder.exe (PID: 7400)
      • Zagreus Builder.exe (PID: 7840)
      • Zagreus Builder.exe (PID: 6644)
      • Zagreus Builder.exe (PID: 2104)
      • Zagreus Builder.exe (PID: 8364)
      • Cicada.exe (PID: 9016)
      • Zagreus Builder.exe (PID: 9028)
      • Zagreus Builder.exe (PID: 8320)
      • Zagreus Builder.exe (PID: 5720)
      • Zagreus Builder.exe (PID: 7580)
      • Zagreus Builder.exe (PID: 8604)
      • Zagreus Builder.exe (PID: 9008)
      • Zagreus Builder.exe (PID: 2656)
      • Zagreus Builder.exe (PID: 5112)
      • Cicada.exe (PID: 8428)
      • Zagreus Builder.exe (PID: 8500)
      • Zagreus Builder.exe (PID: 4728)
      • Zagreus Builder.exe (PID: 8948)
      • Zagreus Builder.exe (PID: 5328)
      • Zagreus Builder.exe (PID: 300)

    • Disables trace logs

      • Cicada.exe (PID: 4776)
      • Cicada.exe (PID: 9180)
      • Cicada.exe (PID: 904)
      • Cicada.exe (PID: 9016)
      • Cicada.exe (PID: 8428)

    • Application launched itself

      • firefox.exe (PID: 920)
      • firefox.exe (PID: 5640)
      • firefox.exe (PID: 7600)
      • firefox.exe (PID: 7468)

    • Checks proxy server information

      • Cicada.exe (PID: 4776)
      • explorer.exe (PID: 5492)
      • HTTPDebuggerUI.exe (PID: 8536)
      • Cicada.exe (PID: 9180)
      • slui.exe (PID: 7520)
      • Cicada.exe (PID: 904)
      • Cicada.exe (PID: 9016)
      • Cicada.exe (PID: 8428)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)
      • msiexec.exe (PID: 7680)

    • Reads the software policy settings

      • Cicada.exe (PID: 4776)
      • explorer.exe (PID: 5492)
      • msiexec.exe (PID: 7680)
      • msiexec.exe (PID: 7740)
      • HTTPDebuggerUI.exe (PID: 8536)
      • slui.exe (PID: 7576)
      • Cicada.exe (PID: 9180)
      • Cicada.exe (PID: 904)
      • slui.exe (PID: 7520)
      • Cicada.exe (PID: 9016)
      • Cicada.exe (PID: 8428)

    • Manual execution by a user

      • firefox.exe (PID: 920)

    • Reads CPU info

      • Cicada.exe (PID: 4776)
      • Cicada.exe (PID: 9180)
      • Cicada.exe (PID: 904)
      • Cicada.exe (PID: 9016)
      • Cicada.exe (PID: 8428)

    • Confuser has been detected (YARA)

      • Cicada.exe (PID: 4776)

    • Creates files or folders in the user directory

      • Cicada.exe (PID: 4776)
      • FileCoAuth.exe (PID: 5400)
      • explorer.exe (PID: 5492)
      • HTTPDebuggerUI.exe (PID: 8536)
      • Cicada.exe (PID: 904)
      • Cicada.exe (PID: 9016)

    • Autorun file from Downloads

      • firefox.exe (PID: 5640)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 5492)

    • Manages system restore points

      • SrTasks.exe (PID: 4152)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7740)
      • msiexec.exe (PID: 7680)

    • The sample compiled with english language support

      • msiexec.exe (PID: 7740)
      • msiexec.exe (PID: 7680)
      • HTTPDebuggerSvc.exe (PID: 5512)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 7740)

    • Creates files in the program directory

      • HTTPDebuggerSvc.exe (PID: 5512)
      • Cicada.exe (PID: 9180)
      • Cicada.exe (PID: 8428)

    • Local mutex for internet shortcut management

      • explorer.exe (PID: 5492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:10:02 02:46:12+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 1333248
InitializedDataSize: 6656
UninitializedDataSize: -
EntryPoint: 0x14774e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: Zagreus Builder.exe
LegalCopyright:
OriginalFileName: Zagreus Builder.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
333
Monitored processes
189
Malicious processes
39
Suspicious processes
16

Behavior graph

Click at the process to see the details
start zagreus builder.exe #NESHTA zagreus builder.exe #DISCORDGRABBER cicada.exe zagreus builder.exe no specs svchost.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs sppextcomobj.exe no specs slui.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs filecoauth.exe no specs explorer.exe msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs httpdebuggersvc.exe httpdebuggersvc.exe no specs httpdebuggerui.exe slui.exe certutil.exe httpdebuggerui.exe no specs #NESHTA zagreus builder.exe zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs #NESHTA zagreus builder.exe no specs firefox.exe no specs cicada.exe zagreus builder.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs #NESHTA zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs notepad.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs firefox.exe no specs zagreus builder.exe no specs cicada.exe no specs zagreus builder.exe no specs zagreus builder.exe no specs cicada.exe no specs firefox.exe no specs zagreus builder.exe no specs firefox.exe no specs firefox.exe no specs zagreus builder.exe cicada.exe no specs zagreus builder.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Users\admin\AppData\Local\Temp\Cicada.exe" C:\Users\admin\AppData\Local\Temp\Cicada.exeZagreus Builder.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RL
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\cicada.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
300"C:\Users\admin\AppData\Local\Temp\3582-490\ZagreuS Builder.exe" C:\Users\admin\AppData\Local\Temp\3582-490\Zagreus Builder.exeZagreuS Builder.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\zagreus builder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
540"C:\Users\admin\AppData\Local\Temp\Cicada.exe" C:\Users\admin\AppData\Local\Temp\Cicada.exeZagreus Builder.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RL
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\cicada.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
680"C:\Users\admin\Desktop\Zagreus Builder.exe" C:\Users\admin\Desktop\Zagreus Builder.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\zagreus builder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
736"C:\Users\admin\AppData\Local\Temp\Cicada.exe" C:\Users\admin\AppData\Local\Temp\Cicada.exeZagreus Builder.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RL
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\cicada.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
840"C:\Users\admin\AppData\Local\Temp\Cicada.exe" C:\Users\admin\AppData\Local\Temp\Cicada.exeZagreus Builder.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RL
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\cicada.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
904"C:\Users\admin\AppData\Local\Temp\Cicada.exe" C:\Users\admin\AppData\Local\Temp\Cicada.exe
Zagreus Builder.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RL
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\cicada.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
920"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\windows\system32\crypt32.dll
920"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4876 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 4896 -prefMapHandle 4860 -prefsLen 36588 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a2f08c7-47ef-47e3-9377-69d77030bca0} 5640 "\\.\pipe\gecko-crash-server-pipe.5640" 15747f74110 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
1
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
920"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2136 -parentBuildID 20240213221259 -prefsHandle 2128 -prefMapHandle 2060 -prefsLen 31073 -prefMapSize 244635 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9b4da0d-b4c4-4efd-a9a7-eee6c6654bb1} 7468 "\\.\pipe\gecko-crash-server-pipe.7468" 17759481d10 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
128 643
Read events
128 212
Write events
402
Delete events
29

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010012000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000110000000000000061006300740069006F006E0074006F0070002E0070006E0067003E00200020000000160000000000000065006600660065006300740069007600650074006F006400610079002E007200740066003E0020002000000015000000000000006600750063006B0069006E006700770069007400680069006E002E007200740066003E002000200000001D000000000000006D0061006E00750066006100630074007500720069006E00670070006C0061006E006E0069006E0067002E007200740066003E002000200000000E000000000000006D006100730065006E0064002E007200740066003E0020002000000012000000000000006D0064006E006500740077006F0072006B0073002E007200740066003E0020002000000015000000000000006F0076006500720061006C006C00760061006C006C00650079002E007200740066003E002000200000001E00000000000000700068006F0074006F0067007200610070006800790063006F006D006D0075006E00690074006900650073002E006A00700067003E002000200000001200000000000000770068006500720065007000720069006E0074002E0070006E0067003E0020002000000017000000000000005A0061006700720065007500730020004200750069006C006400650072002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001200000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F0700000000400000A0401100
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
11F6E16700000000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000004028A
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppLaunch
Operation:writeName:308046B0AF4A39CB
Value:
15
(PID) Process:(4776) Cicada.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Cicada_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4776) Cicada.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Cicada_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4776) Cicada.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Cicada_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4776) Cicada.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Cicada_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4776) Cicada.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Cicada_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
Executable files
41
Suspicious files
411
Text files
215
Unknown types
0

Dropped files

PID
Process
Filename
Type
4776Cicada.exeC:\Users\admin\AppData\Local\Temp\places.raw
MD5:
SHA256:
680Zagreus Builder.exeC:\Users\admin\AppData\Local\Temp\ZagreuS Builder.exeexecutable
MD5:D7D116EC9489D35220BB884A3F8CDBE1
SHA256:6E55F637030B2F16A872169E7C6B1C70B76C761A5BB34170761FCB2079122577
680Zagreus Builder.exeC:\Users\admin\AppData\Local\Temp\Cicada.exeexecutable
MD5:9400A5310BB2DE623439B244CBEF49B8
SHA256:3CDEF3A60769CE6B68A9200A4A4BCBBDADD374D8CECE69C14FF24B2B3869F192
5492explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
4776Cicada.exeC:\Users\admin\AppData\Local\DESKTOP-JGLLJLD\FileGrabber\Desktop\desktop.initext
MD5:9E36CC3537EE9EE1E3B10FA4E761045B
SHA256:4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
4776Cicada.exeC:\Users\admin\AppData\Local\DESKTOP-JGLLJLD\FileGrabber\Desktop\fuckingwithin.rtftext
MD5:78A9BD5C6EDDF19C62093628A5E7329A
SHA256:0B4260E76C19D692D52F99BB4591530FC8244285D0A80CDDC16DE1E2CCDB4182
4776Cicada.exeC:\Users\admin\AppData\Local\DESKTOP-JGLLJLD\FileGrabber\Desktop\manufacturingplanning.rtftext
MD5:1CBB9A4861CD0C3BC4961C3D6246A403
SHA256:2F05D21F249341FB6A677544FF0C31C277C752692598C4074B9A322ABBE51929
4776Cicada.exeC:\Users\admin\AppData\Local\DESKTOP-JGLLJLD\FileGrabber\Desktop\effectivetoday.rtftext
MD5:7BD4C80B27F3AAEACA96004BE96FF8B4
SHA256:B22FCD73B375E18E13C73A210D59435C59DBDF8A98FADCA4676CBCBEF608856D
4776Cicada.exeC:\Users\admin\AppData\Local\DESKTOP-JGLLJLD\InstalledSoftware.txttext
MD5:9FE3E9FBA5C9F39C7C244BD808A9777F
SHA256:6FD5F361A1FEAA428050DA60111432F85E03ED3D7571D5B86CEC3C77296C9D10
4776Cicada.exeC:\Users\admin\AppData\Local\DESKTOP-JGLLJLD\FileGrabber\Desktop\masend.rtftext
MD5:E46D2B376CD7D650C4F0DDCBE7FB7FCA
SHA256:223D1130DD9E3D6B743DB0FBDEDA0626B01DFDF0FA3B2DFC199FB8B2EA2EB03E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
83
TCP/UDP connections
319
DNS requests
236
Threats
118

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5640
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
5640
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
5640
firefox.exe
POST
200
184.24.77.79:80
http://r11.o.lencr.org/
unknown
whitelisted
5640
firefox.exe
POST
200
142.250.186.99:80
http://o.pki.goog/s/wr3/cgo
unknown
whitelisted
5640
firefox.exe
POST
200
184.24.77.79:80
http://r10.o.lencr.org/
unknown
whitelisted
5640
firefox.exe
POST
200
184.24.77.79:80
http://r11.o.lencr.org/
unknown
whitelisted
5640
firefox.exe
POST
200
184.24.77.79:80
http://r10.o.lencr.org/
unknown
whitelisted
5640
firefox.exe
POST
200
184.24.77.79:80
http://r10.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4996
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4776
Cicada.exe
162.125.72.15:443
dl.dropboxusercontent.com
DROPBOX
US
whitelisted
4776
Cicada.exe
104.21.32.1:443
freegeoip.app
CLOUDFLARENET
whitelisted
6544
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
dl.dropboxusercontent.com
  • 162.125.72.15
  • 162.125.66.15
whitelisted
freegeoip.app
  • 104.21.32.1
  • 104.21.64.1
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.96.1
  • 104.21.16.1
  • 104.21.112.1
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.160.66
  • 20.190.160.22
  • 20.190.160.64
  • 20.190.160.20
  • 20.190.160.132
  • 40.126.32.68
  • 20.190.160.4
  • 40.126.32.72
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
ipbase.com
  • 104.21.85.189
  • 172.67.209.71
unknown
detectportal.firefox.com
  • 34.107.221.82
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Checker Domain (freegeoip .app)
4776
Cicada.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
4776
Cicada.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
2196
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain Domain in DNS Lookup (ipbase .com)
4776
Cicada.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (ipbase .com in TLS SNI)
4776
Cicada.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] SNI External IP Domain Lookup (freegeoip .app)
4776
Cicada.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
4776
Cicada.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
4776
Cicada.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
4776
Cicada.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Zagreus Builder.exe