| File name: | Zagreus Builder.exe |
| Full analysis: | https://app.any.run/tasks/d38ec435-ac17-4609-bf8a-498e3678a534 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | March 25, 2025, 00:24:31 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | 88CD6943FC236ACFD406B339FFACBE46 |
| SHA1: | 0F736349C4FD9189F9235AA38B064838FF283636 |
| SHA256: | 5E0F46628ECEC878ED244BCCEAA2981B947DB254CF34DFC0B7F4A8D5C211A842 |
| SSDEEP: | 49152:oUpLxivo6RKPQS6r7vwNYR8nU/NX+dwZPVqXPbVwuDk/kTsxPSc1lLr2f29UNlkL:6rRyQJnoNYR8eNuWPIPSuDNTZ2N8GP20 |
MALICIOUS
NESHTA mutex has been found
- ZagreuS Builder.exe (PID: 4724)
- FileCoAuth.exe (PID: 6872)
- Zagreus Builder.exe (PID: 7188)
- ZagreuS Builder.exe (PID: 8924)
- ZagreuS Builder.exe (PID: 7052)
- ZagreuS Builder.exe (PID: 8208)
- ZagreuS Builder.exe (PID: 668)
Actions looks like stealing of personal data
- Cicada.exe (PID: 4868)
- ZagreuS Builder.exe (PID: 4724)
- FileCoAuth.exe (PID: 6872)
- HTTPDebuggerSvc.exe (PID: 4688)
- certutil.exe (PID: 4268)
- Cicada.exe (PID: 7224)
- Cicada.exe (PID: 7876)
- Cicada.exe (PID: 8804)
- Cicada.exe (PID: 736)
- Cicada.exe (PID: 8960)
- Cicada.exe (PID: 2692)
- Cicada.exe (PID: 3612)
Steals credentials from Web Browsers
- Cicada.exe (PID: 4868)
- Cicada.exe (PID: 7224)
- Cicada.exe (PID: 8804)
- Cicada.exe (PID: 736)
- Cicada.exe (PID: 2692)
- Cicada.exe (PID: 3612)
DISCORDGRABBER has been detected (YARA)
- Cicada.exe (PID: 4868)
Executing a file with an untrusted certificate
- FileCoAuth.exe (PID: 2644)
SUSPICIOUS
Reads the date of Windows installation
- Zagreus Builder.exe (PID: 1760)
- Zagreus Builder.exe (PID: 7220)
- Zagreus Builder.exe (PID: 5172)
- Zagreus Builder.exe (PID: 8940)
- Zagreus Builder.exe (PID: 8712)
- Zagreus Builder.exe (PID: 8876)
- Zagreus Builder.exe (PID: 7540)
- Zagreus Builder.exe (PID: 9076)
- Zagreus Builder.exe (PID: 5868)
- Zagreus Builder.exe (PID: 7608)
- Zagreus Builder.exe (PID: 9136)
- Zagreus Builder.exe (PID: 9156)
- Zagreus Builder.exe (PID: 7468)
- Zagreus Builder.exe (PID: 736)
- Zagreus Builder.exe (PID: 7808)
- Zagreus Builder.exe (PID: 7780)
- Zagreus Builder.exe (PID: 7544)
- Zagreus Builder.exe (PID: 9200)
- Zagreus Builder.exe (PID: 7488)
- Zagreus Builder.exe (PID: 9112)
- Zagreus Builder.exe (PID: 7612)
- Zagreus Builder.exe (PID: 300)
- Zagreus Builder.exe (PID: 6908)
- Zagreus Builder.exe (PID: 2416)
- Zagreus Builder.exe (PID: 684)
- Zagreus Builder.exe (PID: 9188)
- Zagreus Builder.exe (PID: 7348)
- Zagreus Builder.exe (PID: 4448)
- Zagreus Builder.exe (PID: 8744)
- Zagreus Builder.exe (PID: 7852)
- Zagreus Builder.exe (PID: 6712)
- Zagreus Builder.exe (PID: 4172)
- Zagreus Builder.exe (PID: 5428)
- Zagreus Builder.exe (PID: 4608)
- Zagreus Builder.exe (PID: 4696)
- Zagreus Builder.exe (PID: 8468)
- Zagreus Builder.exe (PID: 7712)
- Zagreus Builder.exe (PID: 7296)
- Zagreus Builder.exe (PID: 7344)
- Zagreus Builder.exe (PID: 5968)
- Zagreus Builder.exe (PID: 7532)
- Zagreus Builder.exe (PID: 7428)
- Zagreus Builder.exe (PID: 8820)
- Zagreus Builder.exe (PID: 5360)
- Zagreus Builder.exe (PID: 8836)
- Zagreus Builder.exe (PID: 9012)
- Zagreus Builder.exe (PID: 7896)
- Zagreus Builder.exe (PID: 9160)
- Zagreus Builder.exe (PID: 9092)
- Zagreus Builder.exe (PID: 4608)
- Zagreus Builder.exe (PID: 8116)
- Zagreus Builder.exe (PID: 1056)
- Zagreus Builder.exe (PID: 2984)
- Zagreus Builder.exe (PID: 680)
- Zagreus Builder.exe (PID: 7772)
- Zagreus Builder.exe (PID: 7728)
- Zagreus Builder.exe (PID: 4452)
- Zagreus Builder.exe (PID: 1176)
- Zagreus Builder.exe (PID: 8748)
- Zagreus Builder.exe (PID: 5868)
- Zagreus Builder.exe (PID: 4884)
- Zagreus Builder.exe (PID: 3572)
- Zagreus Builder.exe (PID: 6240)
- Zagreus Builder.exe (PID: 6904)
- Zagreus Builder.exe (PID: 8860)
- Zagreus Builder.exe (PID: 6168)
- Zagreus Builder.exe (PID: 1516)
- Zagreus Builder.exe (PID: 4184)
- Zagreus Builder.exe (PID: 6404)
- Zagreus Builder.exe (PID: 7636)
- Zagreus Builder.exe (PID: 516)
- Zagreus Builder.exe (PID: 7936)
- Zagreus Builder.exe (PID: 8992)
- Zagreus Builder.exe (PID: 5436)
- Zagreus Builder.exe (PID: 6500)
Reads security settings of Internet Explorer
- Zagreus Builder.exe (PID: 1760)
- ZagreuS Builder.exe (PID: 4724)
- FileCoAuth.exe (PID: 6872)
- HTTPDebuggerUI.exe (PID: 2268)
- msiexec.exe (PID: 6344)
- Zagreus Builder.exe (PID: 7188)
- Zagreus Builder.exe (PID: 7220)
- ZagreuS Builder.exe (PID: 8924)
- Zagreus Builder.exe (PID: 5172)
- ZagreuS Builder.exe (PID: 7052)
- Zagreus Builder.exe (PID: 8940)
- ZagreuS Builder.exe (PID: 8208)
- Zagreus Builder.exe (PID: 8712)
- ZagreuS Builder.exe (PID: 668)
- Zagreus Builder.exe (PID: 8876)
- ZagreuS Builder.exe (PID: 736)
- Zagreus Builder.exe (PID: 7540)
- ZagreuS Builder.exe (PID: 7808)
- Zagreus Builder.exe (PID: 5868)
- ZagreuS Builder.exe (PID: 1096)
- Zagreus Builder.exe (PID: 9076)
- ZagreuS Builder.exe (PID: 1748)
- Zagreus Builder.exe (PID: 7608)
- ZagreuS Builder.exe (PID: 4408)
- Zagreus Builder.exe (PID: 9136)
- ZagreuS Builder.exe (PID: 9180)
- Zagreus Builder.exe (PID: 9156)
- ZagreuS Builder.exe (PID: 7320)
- Zagreus Builder.exe (PID: 7468)
- ZagreuS Builder.exe (PID: 8320)
- ZagreuS Builder.exe (PID: 7296)
- Zagreus Builder.exe (PID: 736)
- Zagreus Builder.exe (PID: 7808)
- ZagreuS Builder.exe (PID: 6208)
- ZagreuS Builder.exe (PID: 3676)
- Zagreus Builder.exe (PID: 7780)
- ZagreuS Builder.exe (PID: 9104)
- Zagreus Builder.exe (PID: 7544)
- ZagreuS Builder.exe (PID: 4408)
- Zagreus Builder.exe (PID: 9200)
- Zagreus Builder.exe (PID: 9112)
- ZagreuS Builder.exe (PID: 1672)
- Zagreus Builder.exe (PID: 7488)
- ZagreuS Builder.exe (PID: 8840)
- Zagreus Builder.exe (PID: 7612)
- Zagreus Builder.exe (PID: 300)
- ZagreuS Builder.exe (PID: 5124)
- ZagreuS Builder.exe (PID: 1812)
- Zagreus Builder.exe (PID: 6908)
- ZagreuS Builder.exe (PID: 2908)
- ZagreuS Builder.exe (PID: 8220)
- Zagreus Builder.exe (PID: 2416)
- Zagreus Builder.exe (PID: 684)
- ZagreuS Builder.exe (PID: 9084)
- Zagreus Builder.exe (PID: 9188)
- ZagreuS Builder.exe (PID: 9180)
- ZagreuS Builder.exe (PID: 7468)
- Zagreus Builder.exe (PID: 7348)
- Zagreus Builder.exe (PID: 4448)
- ZagreuS Builder.exe (PID: 7524)
- Zagreus Builder.exe (PID: 8744)
- Zagreus Builder.exe (PID: 7852)
- ZagreuS Builder.exe (PID: 7352)
- ZagreuS Builder.exe (PID: 6904)
- Zagreus Builder.exe (PID: 6712)
- ZagreuS Builder.exe (PID: 1600)
- Zagreus Builder.exe (PID: 4172)
- Zagreus Builder.exe (PID: 5428)
- ZagreuS Builder.exe (PID: 2644)
- Zagreus Builder.exe (PID: 4608)
- ZagreuS Builder.exe (PID: 7584)
- ZagreuS Builder.exe (PID: 4380)
- Zagreus Builder.exe (PID: 4696)
- ZagreuS Builder.exe (PID: 7000)
- Zagreus Builder.exe (PID: 8468)
- ZagreuS Builder.exe (PID: 732)
- Zagreus Builder.exe (PID: 7712)
- ZagreuS Builder.exe (PID: 8244)
- ZagreuS Builder.exe (PID: 2064)
- Zagreus Builder.exe (PID: 7344)
- ZagreuS Builder.exe (PID: 7248)
- Zagreus Builder.exe (PID: 5968)
- ZagreuS Builder.exe (PID: 4300)
- Zagreus Builder.exe (PID: 7296)
- Zagreus Builder.exe (PID: 7532)
- ZagreuS Builder.exe (PID: 7796)
- Zagreus Builder.exe (PID: 8820)
- ZagreuS Builder.exe (PID: 8288)
- ZagreuS Builder.exe (PID: 7968)
- Zagreus Builder.exe (PID: 5360)
- ZagreuS Builder.exe (PID: 7204)
- Zagreus Builder.exe (PID: 7428)
- Zagreus Builder.exe (PID: 8836)
- ZagreuS Builder.exe (PID: 4220)
- Zagreus Builder.exe (PID: 9012)
- ZagreuS Builder.exe (PID: 8524)
- Zagreus Builder.exe (PID: 7896)
- ZagreuS Builder.exe (PID: 7344)
- Zagreus Builder.exe (PID: 9160)
- ZagreuS Builder.exe (PID: 5968)
- ZagreuS Builder.exe (PID: 4188)
- Zagreus Builder.exe (PID: 4608)
- Zagreus Builder.exe (PID: 9092)
- Zagreus Builder.exe (PID: 8116)
- ZagreuS Builder.exe (PID: 7428)
- ZagreuS Builder.exe (PID: 4980)
- Zagreus Builder.exe (PID: 1056)
- ZagreuS Builder.exe (PID: 7524)
- Zagreus Builder.exe (PID: 2984)
- Zagreus Builder.exe (PID: 680)
- ZagreuS Builder.exe (PID: 1764)
- ZagreuS Builder.exe (PID: 7480)
- ZagreuS Builder.exe (PID: 6184)
- Zagreus Builder.exe (PID: 7772)
- Zagreus Builder.exe (PID: 7728)
- ZagreuS Builder.exe (PID: 2416)
- Zagreus Builder.exe (PID: 4452)
- ZagreuS Builder.exe (PID: 6940)
- Zagreus Builder.exe (PID: 1176)
- ZagreuS Builder.exe (PID: 9052)
- Zagreus Builder.exe (PID: 8748)
- Zagreus Builder.exe (PID: 5868)
- ZagreuS Builder.exe (PID: 8908)
- ZagreuS Builder.exe (PID: 7428)
- Zagreus Builder.exe (PID: 4884)
- ZagreuS Builder.exe (PID: 7348)
- Zagreus Builder.exe (PID: 3572)
- ZagreuS Builder.exe (PID: 732)
- ZagreuS Builder.exe (PID: 4692)
- Zagreus Builder.exe (PID: 6240)
- Zagreus Builder.exe (PID: 6904)
- ZagreuS Builder.exe (PID: 2960)
- Zagreus Builder.exe (PID: 8860)
- ZagreuS Builder.exe (PID: 7236)
- Zagreus Builder.exe (PID: 6168)
- ZagreuS Builder.exe (PID: 8964)
- Zagreus Builder.exe (PID: 1516)
- ZagreuS Builder.exe (PID: 4784)
- Zagreus Builder.exe (PID: 4184)
- ZagreuS Builder.exe (PID: 8872)
- Zagreus Builder.exe (PID: 7636)
- ZagreuS Builder.exe (PID: 7292)
- ZagreuS Builder.exe (PID: 7516)
- Zagreus Builder.exe (PID: 516)
- ZagreuS Builder.exe (PID: 8680)
- Zagreus Builder.exe (PID: 6404)
- Zagreus Builder.exe (PID: 7936)
- ZagreuS Builder.exe (PID: 7476)
- ZagreuS Builder.exe (PID: 968)
- Zagreus Builder.exe (PID: 8992)
- Zagreus Builder.exe (PID: 4692)
- Zagreus Builder.exe (PID: 5436)
- ZagreuS Builder.exe (PID: 9164)
- Zagreus Builder.exe (PID: 6500)
- ZagreuS Builder.exe (PID: 4620)
Executable content was dropped or overwritten
- ZagreuS Builder.exe (PID: 4724)
- Zagreus Builder.exe (PID: 1760)
- HTTPDebuggerSvc.exe (PID: 4688)
- Zagreus Builder.exe (PID: 7188)
Mutex name with non-standard characters
- ZagreuS Builder.exe (PID: 4724)
- FileCoAuth.exe (PID: 6872)
- Zagreus Builder.exe (PID: 7188)
- ZagreuS Builder.exe (PID: 8924)
- ZagreuS Builder.exe (PID: 7052)
- ZagreuS Builder.exe (PID: 8208)
- ZagreuS Builder.exe (PID: 668)
Write to the desktop.ini file (may be used to cloak folders)
- Cicada.exe (PID: 4868)
- Cicada.exe (PID: 7224)
- Cicada.exe (PID: 7876)
- Cicada.exe (PID: 8804)
- Cicada.exe (PID: 736)
- Cicada.exe (PID: 8960)
- Cicada.exe (PID: 2692)
- Cicada.exe (PID: 3612)
Checks for external IP
- svchost.exe (PID: 2196)
- Cicada.exe (PID: 4868)
- Cicada.exe (PID: 7224)
- Cicada.exe (PID: 7876)
- Cicada.exe (PID: 8804)
- Cicada.exe (PID: 736)
- Cicada.exe (PID: 8960)
- Cicada.exe (PID: 2692)
- Cicada.exe (PID: 3612)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- Cicada.exe (PID: 4868)
- Cicada.exe (PID: 7224)
- Cicada.exe (PID: 7876)
- Cicada.exe (PID: 8804)
- Cicada.exe (PID: 736)
- Cicada.exe (PID: 8960)
- Cicada.exe (PID: 2692)
- Cicada.exe (PID: 3612)
Possible usage of Discord/Telegram API has been detected (YARA)
- Cicada.exe (PID: 4868)
Process drops legitimate windows executable
- FileCoAuth.exe (PID: 6872)
Starts a Microsoft application from unusual location
- FileCoAuth.exe (PID: 2644)
There is functionality for taking screenshot (YARA)
- FileCoAuth.exe (PID: 6872)
Detects AdvancedInstaller (YARA)
- msiexec.exe (PID: 8256)
- msiexec.exe (PID: 8196)
Reads the Windows owner or organization settings
- msiexec.exe (PID: 8196)
Drops a system driver (possible attempt to evade defenses)
- msiexec.exe (PID: 8196)
- HTTPDebuggerSvc.exe (PID: 4688)
Executes as Windows Service
- HTTPDebuggerSvc.exe (PID: 4688)
- VSSVC.exe (PID: 8452)
Creates/Modifies COM task schedule object
- msiexec.exe (PID: 6644)
Creates files in the driver directory
- HTTPDebuggerSvc.exe (PID: 4688)
Reads Internet Explorer settings
- HTTPDebuggerUI.exe (PID: 2268)
Reads Microsoft Outlook installation path
- HTTPDebuggerUI.exe (PID: 2268)
Adds/modifies Windows certificates
- HTTPDebuggerSvc.exe (PID: 4688)
Searches for installed software
- Cicada.exe (PID: 7224)
- Cicada.exe (PID: 7876)
- Cicada.exe (PID: 8804)
- Cicada.exe (PID: 736)
- Cicada.exe (PID: 8960)
- Cicada.exe (PID: 2692)
- Cicada.exe (PID: 3612)
INFO
Reads the computer name
- Zagreus Builder.exe (PID: 1760)
- ZagreuS Builder.exe (PID: 4724)
- Cicada.exe (PID: 4868)
- ZagreuS Builder.exe (PID: 5528)
- FileCoAuth.exe (PID: 2644)
- msiexec.exe (PID: 6344)
- msiexec.exe (PID: 5324)
- msiexec.exe (PID: 8196)
- HTTPDebuggerSvc.exe (PID: 4688)
- HTTPDebuggerSvc.exe (PID: 3016)
- HTTPDebuggerUI.exe (PID: 2268)
- certutil.exe (PID: 4268)
- Zagreus Builder.exe (PID: 7220)
- Cicada.exe (PID: 7224)
- ZagreuS Builder.exe (PID: 8924)
- Zagreus Builder.exe (PID: 5172)
- Cicada.exe (PID: 7332)
- ZagreuS Builder.exe (PID: 7052)
- Cicada.exe (PID: 6656)
- ZagreuS Builder.exe (PID: 8208)
- Zagreus Builder.exe (PID: 8940)
- Zagreus Builder.exe (PID: 8712)
- ZagreuS Builder.exe (PID: 668)
- Cicada.exe (PID: 8812)
- Zagreus Builder.exe (PID: 8876)
- ZagreuS Builder.exe (PID: 736)
- Cicada.exe (PID: 7748)
- Zagreus Builder.exe (PID: 7188)
- Zagreus Builder.exe (PID: 7540)
- Cicada.exe (PID: 5588)
- ZagreuS Builder.exe (PID: 7808)
- Zagreus Builder.exe (PID: 5868)
- Cicada.exe (PID: 5436)
- ZagreuS Builder.exe (PID: 1096)
- Zagreus Builder.exe (PID: 9076)
- Cicada.exe (PID: 3024)
- ZagreuS Builder.exe (PID: 1748)
- Zagreus Builder.exe (PID: 7608)
- Cicada.exe (PID: 8980)
- ZagreuS Builder.exe (PID: 4408)
- Zagreus Builder.exe (PID: 9136)
- Cicada.exe (PID: 8816)
- ZagreuS Builder.exe (PID: 9180)
- Zagreus Builder.exe (PID: 9156)
- ZagreuS Builder.exe (PID: 7320)
- Zagreus Builder.exe (PID: 736)
- Cicada.exe (PID: 644)
- ZagreuS Builder.exe (PID: 8320)
- Cicada.exe (PID: 7644)
- Zagreus Builder.exe (PID: 7468)
- ZagreuS Builder.exe (PID: 7296)
- Cicada.exe (PID: 7876)
- Zagreus Builder.exe (PID: 7808)
- Cicada.exe (PID: 7248)
- ZagreuS Builder.exe (PID: 6208)
- ZagreuS Builder.exe (PID: 3676)
- Cicada.exe (PID: 7492)
- Zagreus Builder.exe (PID: 7780)
- Cicada.exe (PID: 7152)
- ZagreuS Builder.exe (PID: 9104)
- Zagreus Builder.exe (PID: 7544)
- ZagreuS Builder.exe (PID: 4408)
- Zagreus Builder.exe (PID: 9200)
- Cicada.exe (PID: 8940)
- ZagreuS Builder.exe (PID: 1672)
- Cicada.exe (PID: 7464)
- Zagreus Builder.exe (PID: 7488)
- Zagreus Builder.exe (PID: 9112)
- Cicada.exe (PID: 2100)
- ZagreuS Builder.exe (PID: 8840)
- Zagreus Builder.exe (PID: 7612)
- Cicada.exe (PID: 7372)
- ZagreuS Builder.exe (PID: 1812)
- Zagreus Builder.exe (PID: 300)
- Cicada.exe (PID: 8668)
- ZagreuS Builder.exe (PID: 5124)
- ZagreuS Builder.exe (PID: 2908)
- Zagreus Builder.exe (PID: 2416)
- Zagreus Builder.exe (PID: 6908)
- Cicada.exe (PID: 7500)
- ZagreuS Builder.exe (PID: 8220)
- Cicada.exe (PID: 8804)
- Zagreus Builder.exe (PID: 684)
- Cicada.exe (PID: 9164)
- ZagreuS Builder.exe (PID: 9084)
- ZagreuS Builder.exe (PID: 9180)
- Zagreus Builder.exe (PID: 4448)
- Zagreus Builder.exe (PID: 9188)
- Cicada.exe (PID: 7564)
- ZagreuS Builder.exe (PID: 7468)
- Zagreus Builder.exe (PID: 7348)
- Cicada.exe (PID: 6988)
- Cicada.exe (PID: 8380)
- ZagreuS Builder.exe (PID: 7524)
- Cicada.exe (PID: 4024)
- Zagreus Builder.exe (PID: 8744)
- ZagreuS Builder.exe (PID: 7352)
- Cicada.exe (PID: 1120)
- Zagreus Builder.exe (PID: 6712)
- ZagreuS Builder.exe (PID: 6904)
- Zagreus Builder.exe (PID: 7852)
- Cicada.exe (PID: 7556)
- ZagreuS Builder.exe (PID: 1600)
- Zagreus Builder.exe (PID: 4172)
- ZagreuS Builder.exe (PID: 2644)
- Zagreus Builder.exe (PID: 5428)
- Cicada.exe (PID: 9116)
- Cicada.exe (PID: 5728)
- Zagreus Builder.exe (PID: 4608)
- Cicada.exe (PID: 736)
- ZagreuS Builder.exe (PID: 7584)
- ZagreuS Builder.exe (PID: 4380)
- Zagreus Builder.exe (PID: 4696)
- ZagreuS Builder.exe (PID: 7000)
- Cicada.exe (PID: 8888)
- Zagreus Builder.exe (PID: 8468)
- Cicada.exe (PID: 6736)
- ZagreuS Builder.exe (PID: 732)
- Zagreus Builder.exe (PID: 7712)
- ZagreuS Builder.exe (PID: 8244)
- Cicada.exe (PID: 7212)
- Zagreus Builder.exe (PID: 7296)
- Cicada.exe (PID: 7772)
- ZagreuS Builder.exe (PID: 2064)
- Zagreus Builder.exe (PID: 7344)
- ZagreuS Builder.exe (PID: 7248)
- Zagreus Builder.exe (PID: 5968)
- ZagreuS Builder.exe (PID: 4300)
- Cicada.exe (PID: 8980)
- Cicada.exe (PID: 6676)
- Zagreus Builder.exe (PID: 7532)
- Cicada.exe (PID: 7780)
- ZagreuS Builder.exe (PID: 7796)
- Cicada.exe (PID: 8180)
- ZagreuS Builder.exe (PID: 8288)
- Zagreus Builder.exe (PID: 7428)
- Zagreus Builder.exe (PID: 8820)
- Cicada.exe (PID: 8792)
- ZagreuS Builder.exe (PID: 7968)
- Cicada.exe (PID: 732)
- ZagreuS Builder.exe (PID: 7204)
- Zagreus Builder.exe (PID: 5360)
- Zagreus Builder.exe (PID: 8836)
- Cicada.exe (PID: 8960)
- ZagreuS Builder.exe (PID: 4220)
- Zagreus Builder.exe (PID: 9012)
- ZagreuS Builder.exe (PID: 8524)
- Cicada.exe (PID: 5452)
- Zagreus Builder.exe (PID: 7896)
- Cicada.exe (PID: 7444)
- ZagreuS Builder.exe (PID: 7344)
- ZagreuS Builder.exe (PID: 5968)
- Cicada.exe (PID: 4380)
- Zagreus Builder.exe (PID: 9092)
- Zagreus Builder.exe (PID: 9160)
- Zagreus Builder.exe (PID: 4608)
- Cicada.exe (PID: 644)
- Cicada.exe (PID: 9052)
- ZagreuS Builder.exe (PID: 4188)
- Zagreus Builder.exe (PID: 8116)
- Cicada.exe (PID: 8804)
- ZagreuS Builder.exe (PID: 7428)
- ZagreuS Builder.exe (PID: 4980)
- ZagreuS Builder.exe (PID: 7524)
- Cicada.exe (PID: 516)
- Zagreus Builder.exe (PID: 1056)
- Zagreus Builder.exe (PID: 2984)
- Cicada.exe (PID: 1052)
- ZagreuS Builder.exe (PID: 1764)
- Cicada.exe (PID: 7488)
- ZagreuS Builder.exe (PID: 7480)
- Zagreus Builder.exe (PID: 680)
- Zagreus Builder.exe (PID: 7772)
- Zagreus Builder.exe (PID: 7728)
- ZagreuS Builder.exe (PID: 6184)
- Cicada.exe (PID: 2692)
- ZagreuS Builder.exe (PID: 2416)
- Cicada.exe (PID: 8212)
- ZagreuS Builder.exe (PID: 6940)
- Zagreus Builder.exe (PID: 1176)
- Zagreus Builder.exe (PID: 4452)
- Cicada.exe (PID: 8788)
- ZagreuS Builder.exe (PID: 9052)
- Cicada.exe (PID: 6112)
- Zagreus Builder.exe (PID: 5868)
- Cicada.exe (PID: 4696)
- ZagreuS Builder.exe (PID: 8908)
- Zagreus Builder.exe (PID: 8748)
- Cicada.exe (PID: 8644)
- Zagreus Builder.exe (PID: 4884)
- ZagreuS Builder.exe (PID: 7348)
- Cicada.exe (PID: 2392)
- ZagreuS Builder.exe (PID: 7428)
- Zagreus Builder.exe (PID: 3572)
- Cicada.exe (PID: 7884)
- ZagreuS Builder.exe (PID: 732)
- Zagreus Builder.exe (PID: 6904)
- ZagreuS Builder.exe (PID: 4692)
- Cicada.exe (PID: 3124)
- Zagreus Builder.exe (PID: 6240)
- Zagreus Builder.exe (PID: 8860)
- Cicada.exe (PID: 8524)
- ZagreuS Builder.exe (PID: 7236)
- ZagreuS Builder.exe (PID: 2960)
- Cicada.exe (PID: 7888)
- ZagreuS Builder.exe (PID: 8964)
- Zagreus Builder.exe (PID: 1516)
- Zagreus Builder.exe (PID: 6168)
- Cicada.exe (PID: 3612)
- Cicada.exe (PID: 2432)
- ZagreuS Builder.exe (PID: 4784)
- Zagreus Builder.exe (PID: 4184)
- Zagreus Builder.exe (PID: 7636)
- Cicada.exe (PID: 8200)
- ZagreuS Builder.exe (PID: 8872)
- Cicada.exe (PID: 8116)
- ZagreuS Builder.exe (PID: 7292)
- Zagreus Builder.exe (PID: 6404)
- Cicada.exe (PID: 6640)
- Zagreus Builder.exe (PID: 516)
- Cicada.exe (PID: 3976)
- ZagreuS Builder.exe (PID: 7516)
- Zagreus Builder.exe (PID: 7936)
- ZagreuS Builder.exe (PID: 7476)
- Zagreus Builder.exe (PID: 4692)
- ZagreuS Builder.exe (PID: 968)
- Zagreus Builder.exe (PID: 8992)
- ZagreuS Builder.exe (PID: 928)
- Cicada.exe (PID: 7640)
- Cicada.exe (PID: 2288)
- Zagreus Builder.exe (PID: 5436)
- Zagreus Builder.exe (PID: 6500)
- Cicada.exe (PID: 8524)
- ZagreuS Builder.exe (PID: 9164)
- ZagreuS Builder.exe (PID: 4620)
- Zagreus Builder.exe (PID: 828)
- Cicada.exe (PID: 9132)
Reads security settings of Internet Explorer
- explorer.exe (PID: 5492)
- Taskmgr.exe (PID: 7192)
- msiexec.exe (PID: 8256)
- Taskmgr.exe (PID: 8540)
Checks supported languages
- Zagreus Builder.exe (PID: 1760)
- ZagreuS Builder.exe (PID: 4724)
- ZagreuS Builder.exe (PID: 5528)
- Cicada.exe (PID: 4868)
- FileCoAuth.exe (PID: 2644)
- msiexec.exe (PID: 6344)
- msiexec.exe (PID: 8196)
- msiexec.exe (PID: 5324)
- HTTPDebuggerSvc.exe (PID: 4688)
- HTTPDebuggerSvc.exe (PID: 3016)
- HTTPDebuggerUI.exe (PID: 2268)
- certutil.exe (PID: 4268)
- Zagreus Builder.exe (PID: 7220)
- ZagreuS Builder.exe (PID: 8924)
- Zagreus Builder.exe (PID: 5172)
- Cicada.exe (PID: 7224)
- ZagreuS Builder.exe (PID: 7052)
- Cicada.exe (PID: 7332)
- Zagreus Builder.exe (PID: 8940)
- Cicada.exe (PID: 6656)
- ZagreuS Builder.exe (PID: 8208)
- Zagreus Builder.exe (PID: 8712)
- ZagreuS Builder.exe (PID: 668)
- Cicada.exe (PID: 8812)
- ZagreuS Builder.exe (PID: 736)
- Cicada.exe (PID: 7748)
- Zagreus Builder.exe (PID: 7188)
- Zagreus Builder.exe (PID: 8876)
- Cicada.exe (PID: 5588)
- Zagreus Builder.exe (PID: 7540)
- ZagreuS Builder.exe (PID: 7808)
- Zagreus Builder.exe (PID: 5868)
- ZagreuS Builder.exe (PID: 1096)
- Cicada.exe (PID: 5436)
- Zagreus Builder.exe (PID: 9076)
- Cicada.exe (PID: 3024)
- ZagreuS Builder.exe (PID: 1748)
- ZagreuS Builder.exe (PID: 4408)
- Cicada.exe (PID: 8980)
- Zagreus Builder.exe (PID: 9136)
- Zagreus Builder.exe (PID: 7608)
- ZagreuS Builder.exe (PID: 9180)
- Cicada.exe (PID: 8816)
- Zagreus Builder.exe (PID: 9156)
- Cicada.exe (PID: 7644)
- ZagreuS Builder.exe (PID: 7320)
- Zagreus Builder.exe (PID: 7468)
- Cicada.exe (PID: 644)
- ZagreuS Builder.exe (PID: 8320)
- Zagreus Builder.exe (PID: 736)
- ZagreuS Builder.exe (PID: 7296)
- Cicada.exe (PID: 7876)
- Zagreus Builder.exe (PID: 7808)
- ZagreuS Builder.exe (PID: 6208)
- Zagreus Builder.exe (PID: 7780)
- ZagreuS Builder.exe (PID: 3676)
- Cicada.exe (PID: 7492)
- Cicada.exe (PID: 7248)
- Zagreus Builder.exe (PID: 7544)
- ZagreuS Builder.exe (PID: 9104)
- Cicada.exe (PID: 8940)
- Cicada.exe (PID: 7152)
- Zagreus Builder.exe (PID: 9200)
- ZagreuS Builder.exe (PID: 4408)
- Cicada.exe (PID: 7464)
- Zagreus Builder.exe (PID: 7488)
- Zagreus Builder.exe (PID: 9112)
- ZagreuS Builder.exe (PID: 1672)
- Cicada.exe (PID: 2100)
- Zagreus Builder.exe (PID: 7612)
- ZagreuS Builder.exe (PID: 8840)
- Cicada.exe (PID: 7372)
- Zagreus Builder.exe (PID: 300)
- Cicada.exe (PID: 8668)
- ZagreuS Builder.exe (PID: 5124)
- ZagreuS Builder.exe (PID: 1812)
- ZagreuS Builder.exe (PID: 2908)
- Cicada.exe (PID: 7500)
- Zagreus Builder.exe (PID: 2416)
- Zagreus Builder.exe (PID: 6908)
- Cicada.exe (PID: 8804)
- ZagreuS Builder.exe (PID: 8220)
- Zagreus Builder.exe (PID: 684)
- Cicada.exe (PID: 9164)
- Zagreus Builder.exe (PID: 9188)
- ZagreuS Builder.exe (PID: 9084)
- ZagreuS Builder.exe (PID: 9180)
- Cicada.exe (PID: 7564)
- Zagreus Builder.exe (PID: 4448)
- ZagreuS Builder.exe (PID: 7468)
- Cicada.exe (PID: 6988)
- Zagreus Builder.exe (PID: 7348)
- Cicada.exe (PID: 8380)
- Zagreus Builder.exe (PID: 8744)
- ZagreuS Builder.exe (PID: 6904)
- Cicada.exe (PID: 4024)
- ZagreuS Builder.exe (PID: 7524)
- Zagreus Builder.exe (PID: 7852)
- ZagreuS Builder.exe (PID: 7352)
- Cicada.exe (PID: 1120)
- Zagreus Builder.exe (PID: 6712)
- Cicada.exe (PID: 7556)
- Zagreus Builder.exe (PID: 4172)
- ZagreuS Builder.exe (PID: 1600)
- Zagreus Builder.exe (PID: 5428)
- ZagreuS Builder.exe (PID: 2644)
- ZagreuS Builder.exe (PID: 4380)
- Cicada.exe (PID: 5728)
- Zagreus Builder.exe (PID: 4608)
- Cicada.exe (PID: 736)
- Cicada.exe (PID: 9116)
- ZagreuS Builder.exe (PID: 7584)
- Zagreus Builder.exe (PID: 4696)
- Cicada.exe (PID: 8888)
- Zagreus Builder.exe (PID: 8468)
- ZagreuS Builder.exe (PID: 7000)
- Cicada.exe (PID: 6736)
- Zagreus Builder.exe (PID: 7712)
- ZagreuS Builder.exe (PID: 8244)
- Cicada.exe (PID: 7212)
- Zagreus Builder.exe (PID: 7296)
- ZagreuS Builder.exe (PID: 732)
- Cicada.exe (PID: 7772)
- ZagreuS Builder.exe (PID: 2064)
- Zagreus Builder.exe (PID: 7344)
- ZagreuS Builder.exe (PID: 7248)
- Zagreus Builder.exe (PID: 5968)
- ZagreuS Builder.exe (PID: 4300)
- Cicada.exe (PID: 8980)
- Cicada.exe (PID: 6676)
- Zagreus Builder.exe (PID: 7532)
- Cicada.exe (PID: 7780)
- ZagreuS Builder.exe (PID: 7796)
- Zagreus Builder.exe (PID: 8820)
- Zagreus Builder.exe (PID: 7428)
- ZagreuS Builder.exe (PID: 8288)
- Cicada.exe (PID: 8180)
- Cicada.exe (PID: 8792)
- Zagreus Builder.exe (PID: 5360)
- ZagreuS Builder.exe (PID: 7204)
- ZagreuS Builder.exe (PID: 7968)
- Cicada.exe (PID: 732)
- ZagreuS Builder.exe (PID: 4220)
- Cicada.exe (PID: 8960)
- Zagreus Builder.exe (PID: 9012)
- Zagreus Builder.exe (PID: 8836)
- Cicada.exe (PID: 5452)
- Zagreus Builder.exe (PID: 7896)
- ZagreuS Builder.exe (PID: 7344)
- Cicada.exe (PID: 7444)
- Zagreus Builder.exe (PID: 9160)
- ZagreuS Builder.exe (PID: 8524)
- ZagreuS Builder.exe (PID: 5968)
- Cicada.exe (PID: 4380)
- Zagreus Builder.exe (PID: 9092)
- Cicada.exe (PID: 9052)
- Zagreus Builder.exe (PID: 4608)
- ZagreuS Builder.exe (PID: 4980)
- Cicada.exe (PID: 644)
- ZagreuS Builder.exe (PID: 4188)
- Zagreus Builder.exe (PID: 8116)
- ZagreuS Builder.exe (PID: 7428)
- Cicada.exe (PID: 8804)
- Zagreus Builder.exe (PID: 1056)
- Cicada.exe (PID: 7488)
- ZagreuS Builder.exe (PID: 7524)
- Zagreus Builder.exe (PID: 2984)
- Cicada.exe (PID: 516)
- ZagreuS Builder.exe (PID: 7480)
- ZagreuS Builder.exe (PID: 1764)
- Cicada.exe (PID: 1052)
- Zagreus Builder.exe (PID: 680)
- ZagreuS Builder.exe (PID: 6184)
- Cicada.exe (PID: 2692)
- Zagreus Builder.exe (PID: 7728)
- Zagreus Builder.exe (PID: 7772)
- Cicada.exe (PID: 8212)
- ZagreuS Builder.exe (PID: 2416)
- ZagreuS Builder.exe (PID: 6940)
- Zagreus Builder.exe (PID: 4452)
- Cicada.exe (PID: 8788)
- Zagreus Builder.exe (PID: 5868)
- Zagreus Builder.exe (PID: 1176)
- ZagreuS Builder.exe (PID: 9052)
- Cicada.exe (PID: 6112)
- ZagreuS Builder.exe (PID: 7428)
- ZagreuS Builder.exe (PID: 8908)
- Cicada.exe (PID: 4696)
- Zagreus Builder.exe (PID: 8748)
- Zagreus Builder.exe (PID: 4884)
- ZagreuS Builder.exe (PID: 7348)
- Cicada.exe (PID: 8644)
- Cicada.exe (PID: 2392)
- Zagreus Builder.exe (PID: 3572)
- ZagreuS Builder.exe (PID: 732)
- Cicada.exe (PID: 7884)
- Zagreus Builder.exe (PID: 6904)
- ZagreuS Builder.exe (PID: 4692)
- Cicada.exe (PID: 3124)
- Zagreus Builder.exe (PID: 6240)
- Cicada.exe (PID: 7888)
- ZagreuS Builder.exe (PID: 2960)
- Zagreus Builder.exe (PID: 8860)
- ZagreuS Builder.exe (PID: 7236)
- Cicada.exe (PID: 8524)
- ZagreuS Builder.exe (PID: 8964)
- Zagreus Builder.exe (PID: 1516)
- Zagreus Builder.exe (PID: 6168)
- Cicada.exe (PID: 3612)
- ZagreuS Builder.exe (PID: 4784)
- Cicada.exe (PID: 2432)
- ZagreuS Builder.exe (PID: 8872)
- Cicada.exe (PID: 8200)
- Zagreus Builder.exe (PID: 7636)
- Zagreus Builder.exe (PID: 4184)
- Cicada.exe (PID: 8116)
- ZagreuS Builder.exe (PID: 7292)
- ZagreuS Builder.exe (PID: 7516)
- Cicada.exe (PID: 6640)
- Zagreus Builder.exe (PID: 516)
- Cicada.exe (PID: 3976)
- ZagreuS Builder.exe (PID: 8680)
- Zagreus Builder.exe (PID: 6404)
- Zagreus Builder.exe (PID: 7936)
- ZagreuS Builder.exe (PID: 7476)
- Cicada.exe (PID: 5400)
- Zagreus Builder.exe (PID: 4692)
- ZagreuS Builder.exe (PID: 968)
- Zagreus Builder.exe (PID: 8992)
- ZagreuS Builder.exe (PID: 928)
- Cicada.exe (PID: 7640)
- Cicada.exe (PID: 2288)
- Cicada.exe (PID: 8524)
- Zagreus Builder.exe (PID: 6500)
- ZagreuS Builder.exe (PID: 4620)
- Zagreus Builder.exe (PID: 5436)
- Zagreus Builder.exe (PID: 828)
- Cicada.exe (PID: 9132)
Process checks computer location settings
- Zagreus Builder.exe (PID: 1760)
- ZagreuS Builder.exe (PID: 4724)
- FileCoAuth.exe (PID: 6872)
- msiexec.exe (PID: 6344)
- Zagreus Builder.exe (PID: 7188)
- Zagreus Builder.exe (PID: 7220)
- ZagreuS Builder.exe (PID: 8924)
- Zagreus Builder.exe (PID: 5172)
- ZagreuS Builder.exe (PID: 7052)
- Zagreus Builder.exe (PID: 8940)
- ZagreuS Builder.exe (PID: 8208)
- Zagreus Builder.exe (PID: 8712)
- ZagreuS Builder.exe (PID: 668)
- Zagreus Builder.exe (PID: 8876)
- ZagreuS Builder.exe (PID: 736)
- Zagreus Builder.exe (PID: 7540)
- ZagreuS Builder.exe (PID: 7808)
- Zagreus Builder.exe (PID: 5868)
- ZagreuS Builder.exe (PID: 1096)
- Zagreus Builder.exe (PID: 9076)
- ZagreuS Builder.exe (PID: 1748)
- Zagreus Builder.exe (PID: 7608)
- ZagreuS Builder.exe (PID: 4408)
- ZagreuS Builder.exe (PID: 9180)
- Zagreus Builder.exe (PID: 9136)
- Zagreus Builder.exe (PID: 9156)
- ZagreuS Builder.exe (PID: 7320)
- Zagreus Builder.exe (PID: 7468)
- ZagreuS Builder.exe (PID: 8320)
- Zagreus Builder.exe (PID: 736)
- ZagreuS Builder.exe (PID: 7296)
- Zagreus Builder.exe (PID: 7808)
- ZagreuS Builder.exe (PID: 6208)
- ZagreuS Builder.exe (PID: 3676)
- Zagreus Builder.exe (PID: 7780)
- Zagreus Builder.exe (PID: 7544)
- Zagreus Builder.exe (PID: 9200)
- ZagreuS Builder.exe (PID: 9104)
- ZagreuS Builder.exe (PID: 4408)
- Zagreus Builder.exe (PID: 9112)
- ZagreuS Builder.exe (PID: 1672)
- Zagreus Builder.exe (PID: 7612)
- Zagreus Builder.exe (PID: 7488)
- ZagreuS Builder.exe (PID: 8840)
- ZagreuS Builder.exe (PID: 5124)
- Zagreus Builder.exe (PID: 300)
- ZagreuS Builder.exe (PID: 1812)
- Zagreus Builder.exe (PID: 6908)
- ZagreuS Builder.exe (PID: 2908)
- ZagreuS Builder.exe (PID: 8220)
- Zagreus Builder.exe (PID: 2416)
- Zagreus Builder.exe (PID: 684)
- ZagreuS Builder.exe (PID: 9084)
- Zagreus Builder.exe (PID: 9188)
- ZagreuS Builder.exe (PID: 9180)
- ZagreuS Builder.exe (PID: 7468)
- Zagreus Builder.exe (PID: 7348)
- Zagreus Builder.exe (PID: 4448)
- Zagreus Builder.exe (PID: 8744)
- ZagreuS Builder.exe (PID: 7524)
- ZagreuS Builder.exe (PID: 7352)
- Zagreus Builder.exe (PID: 7852)
- ZagreuS Builder.exe (PID: 6904)
- Zagreus Builder.exe (PID: 6712)
- ZagreuS Builder.exe (PID: 1600)
- Zagreus Builder.exe (PID: 5428)
- Zagreus Builder.exe (PID: 4172)
- ZagreuS Builder.exe (PID: 2644)
- ZagreuS Builder.exe (PID: 4380)
- Zagreus Builder.exe (PID: 4608)
- ZagreuS Builder.exe (PID: 7584)
- ZagreuS Builder.exe (PID: 7000)
- Zagreus Builder.exe (PID: 8468)
- Zagreus Builder.exe (PID: 4696)
- Zagreus Builder.exe (PID: 7712)
- ZagreuS Builder.exe (PID: 8244)
- ZagreuS Builder.exe (PID: 732)
- Zagreus Builder.exe (PID: 7296)
- Zagreus Builder.exe (PID: 7344)
- ZagreuS Builder.exe (PID: 2064)
- Zagreus Builder.exe (PID: 5968)
- ZagreuS Builder.exe (PID: 7248)
- ZagreuS Builder.exe (PID: 4300)
- Zagreus Builder.exe (PID: 7532)
- ZagreuS Builder.exe (PID: 7796)
- Zagreus Builder.exe (PID: 8820)
- ZagreuS Builder.exe (PID: 8288)
- ZagreuS Builder.exe (PID: 7968)
- Zagreus Builder.exe (PID: 5360)
- Zagreus Builder.exe (PID: 7428)
- Zagreus Builder.exe (PID: 8836)
- ZagreuS Builder.exe (PID: 4220)
- ZagreuS Builder.exe (PID: 7204)
- Zagreus Builder.exe (PID: 9012)
- ZagreuS Builder.exe (PID: 8524)
- Zagreus Builder.exe (PID: 7896)
- ZagreuS Builder.exe (PID: 7344)
- Zagreus Builder.exe (PID: 9160)
- ZagreuS Builder.exe (PID: 5968)
- Zagreus Builder.exe (PID: 9092)
- ZagreuS Builder.exe (PID: 4188)
- Zagreus Builder.exe (PID: 4608)
- ZagreuS Builder.exe (PID: 4980)
- Zagreus Builder.exe (PID: 8116)
- ZagreuS Builder.exe (PID: 7428)
- Zagreus Builder.exe (PID: 1056)
- Zagreus Builder.exe (PID: 2984)
- ZagreuS Builder.exe (PID: 7524)
- Zagreus Builder.exe (PID: 680)
- ZagreuS Builder.exe (PID: 1764)
- ZagreuS Builder.exe (PID: 7480)
- Zagreus Builder.exe (PID: 7772)
- ZagreuS Builder.exe (PID: 6184)
- Zagreus Builder.exe (PID: 7728)
- Zagreus Builder.exe (PID: 4452)
- ZagreuS Builder.exe (PID: 6940)
- ZagreuS Builder.exe (PID: 2416)
- ZagreuS Builder.exe (PID: 9052)
- Zagreus Builder.exe (PID: 1176)
- ZagreuS Builder.exe (PID: 8908)
- Zagreus Builder.exe (PID: 8748)
- Zagreus Builder.exe (PID: 5868)
- ZagreuS Builder.exe (PID: 7428)
- Zagreus Builder.exe (PID: 4884)
- ZagreuS Builder.exe (PID: 7348)
- Zagreus Builder.exe (PID: 3572)
- ZagreuS Builder.exe (PID: 732)
- Zagreus Builder.exe (PID: 6904)
- ZagreuS Builder.exe (PID: 4692)
- Zagreus Builder.exe (PID: 6240)
- ZagreuS Builder.exe (PID: 2960)
- ZagreuS Builder.exe (PID: 7236)
- Zagreus Builder.exe (PID: 8860)
- Zagreus Builder.exe (PID: 6168)
- ZagreuS Builder.exe (PID: 8964)
- Zagreus Builder.exe (PID: 1516)
- ZagreuS Builder.exe (PID: 4784)
- Zagreus Builder.exe (PID: 4184)
- ZagreuS Builder.exe (PID: 8872)
- Zagreus Builder.exe (PID: 7636)
- ZagreuS Builder.exe (PID: 7292)
- Zagreus Builder.exe (PID: 6404)
- ZagreuS Builder.exe (PID: 7516)
- Zagreus Builder.exe (PID: 516)
- Zagreus Builder.exe (PID: 7936)
- ZagreuS Builder.exe (PID: 7476)
- ZagreuS Builder.exe (PID: 8680)
- ZagreuS Builder.exe (PID: 968)
- Zagreus Builder.exe (PID: 8992)
- Zagreus Builder.exe (PID: 5436)
- Zagreus Builder.exe (PID: 6500)
- ZagreuS Builder.exe (PID: 928)
Create files in a temporary directory
- ZagreuS Builder.exe (PID: 4724)
- Zagreus Builder.exe (PID: 1760)
- Cicada.exe (PID: 4868)
- FileCoAuth.exe (PID: 2644)
- Zagreus Builder.exe (PID: 7220)
- Cicada.exe (PID: 7224)
- Zagreus Builder.exe (PID: 5172)
- Zagreus Builder.exe (PID: 8940)
- Zagreus Builder.exe (PID: 8712)
- Zagreus Builder.exe (PID: 8876)
- Zagreus Builder.exe (PID: 7188)
- Zagreus Builder.exe (PID: 7540)
- Zagreus Builder.exe (PID: 9076)
- Zagreus Builder.exe (PID: 7468)
- Zagreus Builder.exe (PID: 736)
- Cicada.exe (PID: 7876)
- Zagreus Builder.exe (PID: 7780)
- Zagreus Builder.exe (PID: 7544)
- Zagreus Builder.exe (PID: 7612)
- Zagreus Builder.exe (PID: 300)
- Cicada.exe (PID: 8804)
- Zagreus Builder.exe (PID: 2416)
- Zagreus Builder.exe (PID: 684)
- Zagreus Builder.exe (PID: 9188)
- Zagreus Builder.exe (PID: 7348)
- Zagreus Builder.exe (PID: 4448)
- Zagreus Builder.exe (PID: 8744)
- Zagreus Builder.exe (PID: 7852)
- Zagreus Builder.exe (PID: 4172)
- Zagreus Builder.exe (PID: 6712)
- Zagreus Builder.exe (PID: 5428)
- Zagreus Builder.exe (PID: 4608)
- Cicada.exe (PID: 736)
- Zagreus Builder.exe (PID: 4696)
- Zagreus Builder.exe (PID: 7712)
- Zagreus Builder.exe (PID: 7532)
- Zagreus Builder.exe (PID: 8820)
- Zagreus Builder.exe (PID: 8836)
- Cicada.exe (PID: 8960)
- Zagreus Builder.exe (PID: 9012)
- Zagreus Builder.exe (PID: 7896)
- Zagreus Builder.exe (PID: 9160)
- Zagreus Builder.exe (PID: 4608)
- Zagreus Builder.exe (PID: 1056)
- Zagreus Builder.exe (PID: 2984)
- Zagreus Builder.exe (PID: 680)
- Zagreus Builder.exe (PID: 7772)
- Cicada.exe (PID: 2692)
- Zagreus Builder.exe (PID: 4452)
- Zagreus Builder.exe (PID: 5868)
- Zagreus Builder.exe (PID: 8748)
- Zagreus Builder.exe (PID: 4884)
- Zagreus Builder.exe (PID: 3572)
- Zagreus Builder.exe (PID: 6240)
- Zagreus Builder.exe (PID: 6904)
- Zagreus Builder.exe (PID: 8860)
- Zagreus Builder.exe (PID: 6168)
- Cicada.exe (PID: 3612)
- Zagreus Builder.exe (PID: 4184)
- Zagreus Builder.exe (PID: 6404)
- Zagreus Builder.exe (PID: 516)
- Zagreus Builder.exe (PID: 4692)
Reads the machine GUID from the registry
- Zagreus Builder.exe (PID: 1760)
- ZagreuS Builder.exe (PID: 5528)
- Cicada.exe (PID: 4868)
- FileCoAuth.exe (PID: 2644)
- msiexec.exe (PID: 8196)
- HTTPDebuggerSvc.exe (PID: 4688)
- HTTPDebuggerSvc.exe (PID: 3016)
- HTTPDebuggerUI.exe (PID: 2268)
- Zagreus Builder.exe (PID: 7220)
- Cicada.exe (PID: 7224)
- Zagreus Builder.exe (PID: 5172)
- Cicada.exe (PID: 7332)
- Zagreus Builder.exe (PID: 8940)
- Cicada.exe (PID: 6656)
- Zagreus Builder.exe (PID: 8712)
- Zagreus Builder.exe (PID: 8876)
- Cicada.exe (PID: 8812)
- Cicada.exe (PID: 7748)
- Zagreus Builder.exe (PID: 7540)
- Cicada.exe (PID: 5588)
- Zagreus Builder.exe (PID: 5868)
- Cicada.exe (PID: 5436)
- Zagreus Builder.exe (PID: 9076)
- Cicada.exe (PID: 3024)
- Zagreus Builder.exe (PID: 7608)
- Cicada.exe (PID: 8980)
- Zagreus Builder.exe (PID: 9136)
- Cicada.exe (PID: 8816)
- Zagreus Builder.exe (PID: 9156)
- Cicada.exe (PID: 7644)
- Zagreus Builder.exe (PID: 7468)
- Cicada.exe (PID: 644)
- Zagreus Builder.exe (PID: 736)
- Zagreus Builder.exe (PID: 7808)
- Cicada.exe (PID: 7876)
- Cicada.exe (PID: 7492)
- Cicada.exe (PID: 7248)
- Zagreus Builder.exe (PID: 7780)
- Zagreus Builder.exe (PID: 7544)
- Cicada.exe (PID: 8940)
- Cicada.exe (PID: 7152)
- Zagreus Builder.exe (PID: 9200)
- Zagreus Builder.exe (PID: 7488)
- Zagreus Builder.exe (PID: 9112)
- Cicada.exe (PID: 7464)
- Cicada.exe (PID: 2100)
- Zagreus Builder.exe (PID: 7612)
- Cicada.exe (PID: 7372)
- Zagreus Builder.exe (PID: 300)
- Zagreus Builder.exe (PID: 6908)
- Cicada.exe (PID: 7500)
- Zagreus Builder.exe (PID: 2416)
- Cicada.exe (PID: 8668)
- Zagreus Builder.exe (PID: 684)
- Cicada.exe (PID: 9164)
- Cicada.exe (PID: 8804)
- Zagreus Builder.exe (PID: 9188)
- Cicada.exe (PID: 7564)
- Zagreus Builder.exe (PID: 4448)
- Zagreus Builder.exe (PID: 7348)
- Cicada.exe (PID: 6988)
- Zagreus Builder.exe (PID: 8744)
- Cicada.exe (PID: 8380)
- Cicada.exe (PID: 4024)
- Zagreus Builder.exe (PID: 7852)
- Cicada.exe (PID: 1120)
- Zagreus Builder.exe (PID: 6712)
- Cicada.exe (PID: 7556)
- Zagreus Builder.exe (PID: 4172)
- Zagreus Builder.exe (PID: 5428)
- Cicada.exe (PID: 5728)
- Cicada.exe (PID: 9116)
- Zagreus Builder.exe (PID: 4608)
- Cicada.exe (PID: 736)
- Zagreus Builder.exe (PID: 4696)
- Zagreus Builder.exe (PID: 8468)
- Cicada.exe (PID: 8888)
- Cicada.exe (PID: 6736)
- Zagreus Builder.exe (PID: 7712)
- Cicada.exe (PID: 7212)
- Zagreus Builder.exe (PID: 7296)
- Zagreus Builder.exe (PID: 7344)
- Cicada.exe (PID: 7772)
- Cicada.exe (PID: 6676)
- Zagreus Builder.exe (PID: 5968)
- Cicada.exe (PID: 7780)
- Cicada.exe (PID: 8980)
- Zagreus Builder.exe (PID: 7532)
- Cicada.exe (PID: 8180)
- Zagreus Builder.exe (PID: 7428)
- Zagreus Builder.exe (PID: 8820)
- Cicada.exe (PID: 8792)
- Zagreus Builder.exe (PID: 5360)
- Zagreus Builder.exe (PID: 8836)
- Cicada.exe (PID: 732)
- Cicada.exe (PID: 8960)
- Zagreus Builder.exe (PID: 9012)
- Zagreus Builder.exe (PID: 7896)
- Cicada.exe (PID: 7444)
- Cicada.exe (PID: 5452)
- Zagreus Builder.exe (PID: 9160)
- Cicada.exe (PID: 4380)
- Zagreus Builder.exe (PID: 9092)
- Cicada.exe (PID: 9052)
- Zagreus Builder.exe (PID: 4608)
- Zagreus Builder.exe (PID: 8116)
- Cicada.exe (PID: 644)
- Cicada.exe (PID: 8804)
- Zagreus Builder.exe (PID: 1056)
- Cicada.exe (PID: 516)
- Zagreus Builder.exe (PID: 2984)
- Cicada.exe (PID: 7488)
- Zagreus Builder.exe (PID: 680)
- Cicada.exe (PID: 1052)
- Zagreus Builder.exe (PID: 7772)
- Cicada.exe (PID: 2692)
- Zagreus Builder.exe (PID: 7728)
- Zagreus Builder.exe (PID: 4452)
- Cicada.exe (PID: 8788)
- Cicada.exe (PID: 8212)
- Cicada.exe (PID: 6112)
- Zagreus Builder.exe (PID: 5868)
- Zagreus Builder.exe (PID: 1176)
- Cicada.exe (PID: 4696)
- Zagreus Builder.exe (PID: 8748)
- Cicada.exe (PID: 2392)
- Zagreus Builder.exe (PID: 4884)
- Zagreus Builder.exe (PID: 3572)
- Cicada.exe (PID: 7884)
- Zagreus Builder.exe (PID: 6904)
- Cicada.exe (PID: 8644)
- Zagreus Builder.exe (PID: 6240)
- Cicada.exe (PID: 3124)
- Zagreus Builder.exe (PID: 8860)
- Cicada.exe (PID: 7888)
- Zagreus Builder.exe (PID: 6168)
- Cicada.exe (PID: 3612)
- Cicada.exe (PID: 8524)
- Zagreus Builder.exe (PID: 1516)
- Cicada.exe (PID: 2432)
- Zagreus Builder.exe (PID: 4184)
- Cicada.exe (PID: 8200)
- Cicada.exe (PID: 8116)
- Zagreus Builder.exe (PID: 6404)
- Zagreus Builder.exe (PID: 7636)
- Cicada.exe (PID: 6640)
- Zagreus Builder.exe (PID: 516)
- Cicada.exe (PID: 5400)
- Zagreus Builder.exe (PID: 7936)
- Zagreus Builder.exe (PID: 4692)
- Cicada.exe (PID: 2288)
- Zagreus Builder.exe (PID: 8992)
- Zagreus Builder.exe (PID: 5436)
- Cicada.exe (PID: 8524)
- Zagreus Builder.exe (PID: 6500)
Creates files or folders in the user directory
- Cicada.exe (PID: 4868)
- FileCoAuth.exe (PID: 2644)
- explorer.exe (PID: 5492)
- HTTPDebuggerUI.exe (PID: 2268)
- Cicada.exe (PID: 7224)
- Cicada.exe (PID: 7876)
- Cicada.exe (PID: 8804)
- Cicada.exe (PID: 736)
- Cicada.exe (PID: 8960)
- Cicada.exe (PID: 2692)
Disables trace logs
- Cicada.exe (PID: 4868)
- Cicada.exe (PID: 7224)
- Cicada.exe (PID: 7876)
- Cicada.exe (PID: 8804)
- Cicada.exe (PID: 736)
- Cicada.exe (PID: 8960)
- Cicada.exe (PID: 2692)
- Cicada.exe (PID: 3612)
Checks proxy server information
- Cicada.exe (PID: 4868)
- explorer.exe (PID: 5492)
- HTTPDebuggerUI.exe (PID: 2268)
- Cicada.exe (PID: 7224)
- slui.exe (PID: 3364)
- Cicada.exe (PID: 7876)
- Cicada.exe (PID: 8804)
- Cicada.exe (PID: 736)
- Cicada.exe (PID: 8960)
- Cicada.exe (PID: 2692)
- Cicada.exe (PID: 3612)
Reads the software policy settings
- Cicada.exe (PID: 4868)
- slui.exe (PID: 5428)
- explorer.exe (PID: 5492)
- msiexec.exe (PID: 8196)
- msiexec.exe (PID: 8256)
- HTTPDebuggerUI.exe (PID: 2268)
- Cicada.exe (PID: 7224)
- slui.exe (PID: 3364)
- Cicada.exe (PID: 7876)
- Cicada.exe (PID: 8804)
- Cicada.exe (PID: 736)
- Cicada.exe (PID: 8960)
- Cicada.exe (PID: 2692)
- Cicada.exe (PID: 3612)
Manual execution by a user
- Taskmgr.exe (PID: 7192)
- Taskmgr.exe (PID: 6644)
- firefox.exe (PID: 7876)
Reads CPU info
- Cicada.exe (PID: 4868)
- Cicada.exe (PID: 7224)
- Cicada.exe (PID: 7876)
- Cicada.exe (PID: 8804)
- Cicada.exe (PID: 736)
- Cicada.exe (PID: 8960)
- Cicada.exe (PID: 2692)
- Cicada.exe (PID: 3612)
Application launched itself
- firefox.exe (PID: 7876)
- firefox.exe (PID: 7896)
- firefox.exe (PID: 4284)
- firefox.exe (PID: 7544)
Confuser has been detected (YARA)
- Cicada.exe (PID: 4868)
The sample compiled with english language support
- FileCoAuth.exe (PID: 6872)
- msiexec.exe (PID: 8256)
- msiexec.exe (PID: 8196)
- HTTPDebuggerSvc.exe (PID: 4688)
Autorun file from Downloads
- firefox.exe (PID: 7896)
Executable content was dropped or overwritten
- msiexec.exe (PID: 8256)
- msiexec.exe (PID: 8196)
Reads Microsoft Office registry keys
- explorer.exe (PID: 5492)
Manages system restore points
- SrTasks.exe (PID: 8744)
Creates files in the program directory
- HTTPDebuggerSvc.exe (PID: 4688)
- Cicada.exe (PID: 3612)
Creates a software uninstall entry
- msiexec.exe (PID: 8196)
Local mutex for internet shortcut management
- explorer.exe (PID: 5492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
ims-api
(PID) Process(4868) Cicada.exe
Telegram-Tokens (1)7382141956:AAEtnjwughN0sZTQ_wzEG2EuQEvAFP_LdF8
Telegram-Info-Links
7382141956:AAEtnjwughN0sZTQ_wzEG2EuQEvAFP_LdF8
Get info about bothttps://api.telegram.org/bot7382141956:AAEtnjwughN0sZTQ_wzEG2EuQEvAFP_LdF8/getMe
Get incoming updateshttps://api.telegram.org/bot7382141956:AAEtnjwughN0sZTQ_wzEG2EuQEvAFP_LdF8/getUpdates
Get webhookhttps://api.telegram.org/bot7382141956:AAEtnjwughN0sZTQ_wzEG2EuQEvAFP_LdF8/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7382141956:AAEtnjwughN0sZTQ_wzEG2EuQEvAFP_LdF8/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7382141956:AAEtnjwughN0sZTQ_wzEG2EuQEvAFP_LdF8/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7382141956:AAEtnjwughN0sZTQ_wzEG2EuQEvAFP_LdF8
End-PointsendDocument
Args
chat_id (1)6068287209
caption (1)==== RL STEALER ====
⏰ Date => 03/25/2025 12:24
💻System => Windows 10 Pro (64 Bit)
👤 User => admin
🆔 PC => DESKTOP-JGLLJLD
🏴 Country => [The Netherlands]
🔍 IP => 212.30.37.95
📝 Language => 🇺🇸 en-US
🔓 Antivirus =>
Token7382141956:AAEtnjwughN0sZTQ_wzEG2EuQEvAFP_LdF8
End-PointsendDocument
Args
chat_id (1)6068287209
caption (1)==== RL STEALER ====
⏰ Date => 03/25/2025 12:24
💻System => Windows 10 Pro (64 Bit)
👤 User =%
Token7382141956:AAEtnjwughN0sZTQ_wzEG2EuQEvAFP_LdF8
End-PointsendDocument
Args
Token7382141956:AAEtnjwughN0sZTQ_wzEG2EuQEvAFP_LdF8
End-PointsendDocument
Args
chat_id (1)6068287209
caption (1)==== RL STEALER ====
Telegram-Responses
oktrue
result
message_id1801
from
id7382141956
is_bottrue
first_nameRL Stealer
usernameRLStealerData_bot
chat
id6068287209
first_nameWorphine
usernameWorphines
typeprivate
date1742862295
document
file_nameC UsersadminAppDataLocalDESKTOP-JGLLJLD@[The Netherlands].zip
mime_typeapplication/zip
file_idBQACAgUAAxkDAAIHCWfh99cCQqzsu136MdryFIlWguKYAALNFAACIhwQV3t6wV1xJ0lCNgQ
file_unique_idAgADzRQAAiIcEFc
file_size512957
caption==== RL STEALER ====
⏰ Date => 03/25/2025 12:24
💻System => Windows 10 Pro (64 Bit)
👤 User => admin
🆔 PC => DESKTOP-JGLLJLD
🏴 Country => [The Netherlands]
🔍 IP => 212.30.37.95
📝 Language => 🇺🇸 en-US
🔓 Antivirus => Windows Defender.
===={ User Data }====
📂 FileGrabber => 30
📦 Telegram => ...
caption_entities
offset168
length12
typeurl
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (23.8) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.6) |
| .exe | | | Win32 Executable (generic) (3.8) |
| .exe | | | Generic Win/DOS Executable (1.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:10:02 02:46:12+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 11 |
| CodeSize: | 1333248 |
| InitializedDataSize: | 6656 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x14774e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileDescription: | |
| FileVersion: | 1.0.0.0 |
| InternalName: | Zagreus Builder.exe |
| LegalCopyright: | |
| OriginalFileName: | Zagreus Builder.exe |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
435
Monitored processes
294
Malicious processes
34
Suspicious processes
5
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 208 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7324 -parentBuildID 20240213221259 -sandboxingKind 1 -prefsHandle 6112 -prefMapHandle 5296 -prefsLen 38711 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7259e726-0502-4c2d-92aa-11cd6a35fe47} 7896 "\\.\pipe\gecko-crash-server-pipe.7896" 1ebb3e8ef10 utility | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 1 Version: 123.0 Modules
| |||||||||||||||
| 300 | "C:\Users\admin\AppData\Local\Temp\3582-490\ZagreuS Builder.exe" | C:\Users\admin\AppData\Local\Temp\3582-490\Zagreus Builder.exe | — | ZagreuS Builder.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 516 | "C:\Users\admin\AppData\Local\Temp\Cicada.exe" | C:\Users\admin\AppData\Local\Temp\Cicada.exe | — | Zagreus Builder.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: RL Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 516 | "C:\Users\admin\AppData\Local\Temp\3582-490\ZagreuS Builder.exe" | C:\Users\admin\AppData\Local\Temp\3582-490\Zagreus Builder.exe | — | ZagreuS Builder.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 644 | "C:\Users\admin\AppData\Local\Temp\Cicada.exe" | C:\Users\admin\AppData\Local\Temp\Cicada.exe | — | Zagreus Builder.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: RL Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 644 | "C:\Users\admin\AppData\Local\Temp\Cicada.exe" | C:\Users\admin\AppData\Local\Temp\Cicada.exe | — | Zagreus Builder.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: RL Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 668 | "C:\Users\admin\AppData\Local\Temp\ZagreuS Builder.exe" | C:\Users\admin\AppData\Local\Temp\ZagreuS Builder.exe | Zagreus Builder.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 680 | "C:\Users\admin\AppData\Local\Temp\3582-490\ZagreuS Builder.exe" | C:\Users\admin\AppData\Local\Temp\3582-490\Zagreus Builder.exe | — | ZagreuS Builder.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 684 | "C:\Users\admin\AppData\Local\Temp\3582-490\ZagreuS Builder.exe" | C:\Users\admin\AppData\Local\Temp\3582-490\Zagreus Builder.exe | — | ZagreuS Builder.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 732 | "C:\Users\admin\AppData\Local\Temp\ZagreuS Builder.exe" | C:\Users\admin\AppData\Local\Temp\ZagreuS Builder.exe | — | Zagreus Builder.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
186 707
Read events
186 284
Write events
393
Delete events
30
Modification events
| (PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 23004100430042006C006F00620000000000000000000000010000000000000000000000 | |||
| (PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop |
| Operation: | write | Name: | IconLayouts |
Value: 00000000000000000000000000000000030001000100010013000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C0000001B000000000000006300650072007400690066006900630061007400650072006500730070006F006E00730065002E007200740066003E002000200000001300000000000000630075006D0063007500730074006F006D00650072002E007200740066003E002000200000001800000000000000640069006300740069006F006E006100720079006600750074007500720065002E007200740066003E00200020000000100000000000000064006F006E00650064006F006E0065002E0070006E0067003E002000200000001300000000000000670065006F007200670065006100670065006E0074002E007200740066003E0020002000000012000000000000006D0061007200740069006E006D0061006E0079002E0070006E0067003E0020002000000017000000000000006D006500740061006C00640069006300740069006F006E006100720079002E0070006E0067003E002000200000000D000000000000006E0070007200650076002E007200740066003E00200020000000120000000000000073006F006E0067006800650061006C00740068002E007200740066003E00200020000000130000000000000073006F006E0068006F006C00690064006100790073002E007200740066003E0020002000000017000000000000005A0061006700720065007500730020004200750069006C006400650072002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001300000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A0401100000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000004040000000001200 | |||
| (PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop |
| Operation: | write | Name: | IconNameVersion |
Value: 1 | |||
| (PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts |
| Operation: | write | Name: | LastUpdate |
Value: C6F7E16700000000 | |||
| (PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000030310 |
| Operation: | write | Name: | VirtualDesktop |
Value: 1000000030304456BFA0DB55E4278845B426357D5B5F97B3 | |||
| (PID) Process: | (4868) Cicada.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Cicada_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (4868) Cicada.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Cicada_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (4868) Cicada.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Cicada_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (4868) Cicada.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Cicada_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (4868) Cicada.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Cicada_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
Executable files
41
Suspicious files
522
Text files
333
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4868 | Cicada.exe | C:\Users\admin\AppData\Local\Temp\places.raw | — | |
MD5:— | SHA256:— | |||
| 5492 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat | binary | |
MD5:E49C56350AEDF784BFE00E444B879672 | SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E | |||
| 4724 | ZagreuS Builder.exe | C:\Users\admin\AppData\Local\Temp\3582-490\ZagreuS Builder.exe | executable | |
MD5:E538C0DF99242DB4EEBEDB0EAF655CCA | SHA256:38551A319BF73A435F849C42A52818236BFB59C2F73F3658198C0C2F5773D383 | |||
| 1760 | Zagreus Builder.exe | C:\Users\admin\AppData\Local\Temp\Cicada.exe | executable | |
MD5:9400A5310BB2DE623439B244CBEF49B8 | SHA256:3CDEF3A60769CE6B68A9200A4A4BCBBDADD374D8CECE69C14FF24B2B3869F192 | |||
| 4868 | Cicada.exe | C:\Users\admin\AppData\Local\DESKTOP-JGLLJLD\Browsers\Outlook\Outlook.txt | text | |
MD5:81051BCC2CF1BEDF378224B0A93E2877 | SHA256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6 | |||
| 4868 | Cicada.exe | C:\Users\admin\AppData\Local\DESKTOP-JGLLJLD\InstalledSoftware.txt | text | |
MD5:9FE3E9FBA5C9F39C7C244BD808A9777F | SHA256:6FD5F361A1FEAA428050DA60111432F85E03ED3D7571D5B86CEC3C77296C9D10 | |||
| 4868 | Cicada.exe | C:\Users\admin\AppData\Local\DESKTOP-JGLLJLD\FileGrabber\Documents\fundassociation.rtf | text | |
MD5:30336AA92392E0EDCED1895A13DFF443 | SHA256:17F34019868A58C18B8D001A93BEEB6FE64B7CCCF2FEE507F14ED24144586065 | |||
| 4868 | Cicada.exe | C:\Users\admin\AppData\Local\DESKTOP-JGLLJLD\FileGrabber\Desktop\dictionaryfuture.rtf | text | |
MD5:28B6B076891E8A4FFC2D9A858E2A412E | SHA256:30F515951A083234A3BA4B40115716698A8E522FA3AE82DD74D30BDB293A44CE | |||
| 4868 | Cicada.exe | C:\Users\admin\AppData\Local\DESKTOP-JGLLJLD\FileGrabber\Desktop\certificateresponse.rtf | text | |
MD5:921ABE1E52B351B4E4E9711F428736EC | SHA256:2B55C6DDB6F5F89D10B1675D19D86C18A432C60C5DDB695879A1F662629DECF4 | |||
| 4868 | Cicada.exe | C:\Users\admin\AppData\Local\DESKTOP-JGLLJLD\FileGrabber\Desktop\sonholidays.rtf | text | |
MD5:B412EACE1163ED99EF6900D3837669D1 | SHA256:F8833C198D3E95DF2A26C619D705DD5AFD1AD1C20593A9F1CBDC4198C815A9FD | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
173
TCP/UDP connections
531
DNS requests
340
Threats
183
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6544 | svchost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
— | — | GET | 200 | 104.86.110.66:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4868 | Cicada.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/xml | unknown | — | — | whitelisted |
4868 | Cicada.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/xml | unknown | — | — | whitelisted |
4868 | Cicada.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/xml | unknown | — | — | whitelisted |
4868 | Cicada.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/xml | unknown | — | — | whitelisted |
5728 | backgroundTaskHost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
7896 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt?ipv4 | unknown | — | — | whitelisted |
7896 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/canonical.html | unknown | — | — | whitelisted |
7896 | firefox.exe | POST | 200 | 142.250.184.227:80 | http://o.pki.goog/we2 | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 104.86.110.66:80 | crl.microsoft.com | Akamai International B.V. | GB | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4868 | Cicada.exe | 162.125.66.15:443 | dl.dropboxusercontent.com | DROPBOX | DE | whitelisted |
4868 | Cicada.exe | 104.21.112.1:443 | freegeoip.app | CLOUDFLARENET | — | whitelisted |
3216 | svchost.exe | 40.115.3.253:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 20.190.159.64:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6544 | svchost.exe | 2.23.77.188:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
dl.dropboxusercontent.com |
| whitelisted |
freegeoip.app |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ipbase.com |
| unknown |
api.ipify.org |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Device Retrieving External IP Address Detected | INFO [ANY.RUN] External IP Checker Domain (freegeoip .app) |
4868 | Cicada.exe | Misc activity | ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) |
2196 | svchost.exe | Potentially Bad Traffic | ET INFO External IP Lookup Domain Domain in DNS Lookup (ipbase .com) |
4868 | Cicada.exe | Device Retrieving External IP Address Detected | INFO [ANY.RUN] SNI External IP Domain Lookup (freegeoip .app) |
4868 | Cicada.exe | Misc activity | ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) |
4868 | Cicada.exe | Potentially Bad Traffic | ET INFO Observed External IP Lookup Domain (ipbase .com in TLS SNI) |
4868 | Cicada.exe | Misc activity | ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) |
4868 | Cicada.exe | Misc activity | ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) |
4868 | Cicada.exe | Misc activity | ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) |
4868 | Cicada.exe | Misc activity | ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) |