Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe
Analysis ID:	1632574
MD5:	4864dd1c69d3fa10d608c2483be1219a
SHA1:	7cf739e0812972172cb321335aeb33cc527f08aa
SHA256:	a56fc16a195fe09b8a210ce413f2519b52a13acc3709ce1528e616da0037506f
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

Score:	60
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Joe Sandbox ML detected suspicious sample

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Creates a process in suspended mode (likely to inject code)

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses 32bit PE files

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe (PID: 7548 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe" MD5: 4864DD1C69D3FA10D608C2483BE1219A)

Extended-Training-Mode.exe (PID: 7980 cmdline: "C:\Users\user\AppData\Local\Temp\\Extended-Training-Mode.exe" MD5: D1B0632E0B415DADA059CD8917FF9096)

conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8040 cmdline: C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

curl.exe (PID: 8056 cmdline: curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

cleanup

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest, CommandLine: C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\\Extended-Training-Mode.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe, ParentProcessId: 7980, ParentProcessName: Extended-Training-Mode.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest, ProcessId: 8040, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest, CommandLine: C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\\Extended-Training-Mode.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe, ParentProcessId: 7980, ParentProcessName: Extended-Training-Mode.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest, ProcessId: 8040, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	ReversingLabs: Detection: 34%
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Virustotal: Detection: 40%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 140.82.121.5:443 -> 192.168.2.4:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.5:443 -> 192.168.2.4:49719 version: TLS 1.2

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\Extended-Training-Mode-DLL.pdb source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, Extended-Training-Mode-DLL.dll.6.dr, Extended-Training-Mode.exe.0.dr
Source:	Binary string: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\MBAACC-Extended-Training-Mode.pdb source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, Extended-Training-Mode.exe.0.dr
Source:	Binary string: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\MBAACC-Extended-Training-Mode-Launcher.pdb)) source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe
Source:	Binary string: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\MBAACC-Extended-Training-Mode-Launcher.pdb source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Source: Joe Sandbox View

IP Address: 140.82.121.5 140.82.121.5

Source: Joe Sandbox View	JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edge HTTP/1.1User-Agent: GitHubAPIHost: api.github.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest HTTP/1.1Host: api.github.comUser-Agent: curl/7.83.1Accept: /

Source: global traffic

DNS traffic detected: DNS query: api.github.com

Source: Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gi
Source: Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.cT
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301044423.00000000018B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301044423.00000000018B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/AC
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000003.1293871389.00000000018D4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000003.1293920829.0000000001912000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/203206778
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/203206778/assets
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/assets/233845108
Source: curl.exe, 00000009.00000002.1333359034.0000000002910000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1333359034.0000000002928000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332636733.0000000002920000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1333359034.0000000002923000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, Extended-Training-Mode-DLL.dll.6.dr, Extended-Training-Mode.exe.0.dr	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest
Source: Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest3
Source: Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest:
Source: Extended-Training-Mode.exe, 00000006.00000003.1338894696.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latestC:
Source: curl.exe, 00000009.00000002.1333359034.0000000002910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latestT_
Source: curl.exe, 00000009.00000002.1333359034.0000000002910000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1333316600.0000000000820000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latestWinsta0
Source: curl.exe, 00000009.00000003.1332636733.0000000002928000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1333359034.0000000002928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latestapi.github.com
Source: Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latestb
Source: curl.exe, 00000009.00000002.1333359034.0000000002910000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1333316600.0000000000820000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latestcurl
Source: Extended-Training-Mode.exe.0.dr	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latesthttps://github.c
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301044423.000000000185E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edge
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edgeInte
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301044423.000000000185E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edgell
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301044423.000000000185E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edges
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301044423.000000000185E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edgew
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/tarball/bleeding-edge
Source: Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/tarball/v2.0
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/zipball/bleeding-edge
Source: Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/zipball/v2.0
Source: curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth
Source: curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/events
Source: curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/followers
Source: curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/following
Source: curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/gists
Source: curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/orgs
Source: curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/received_events
Source: curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/repos
Source: curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/starred
Source: curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/subscriptions
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1300538691.00000000016F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/githu
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/events
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/followers
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/following
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/gists
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/orgs
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/received_events
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/repos
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/starred
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/subscriptions
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/githuk
Source: Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.githubuserconten
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.githubusercontent.c
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://avatars.githubusercontent.com/in/15368?v=4
Source: curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.githubusercontent.com/u/61390904?v=4
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://github.com/apps/github-actions
Source: curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fangdreth
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fangdreth/MBAACC-Ex
Source: Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, Extended-Training-Mode.exe, 00000006.00000002.3128017297.0000000000FCD000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, ConDrv.6.dr, Extended-Training-Mode-DLL.dll.6.dr, Extended-Training-Mode.exe.0.dr	String found in binary or memory: https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases
Source: Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, Extended-Training-Mode.exe, 00000006.00000002.3128017297.0000000000FCD000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, Extended-Training-Mode-DLL.dll.6.dr, Extended-Training-Mode.exe.0.dr	String found in binary or memory: https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/download/
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, bleeding-edge[1].json.0.dr	String found in binary or memory: https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/download/bleeding-edge/MBAACC-Ex
Source: curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/download/v2.0/README.md
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	String found in binary or memory: https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/tag/bleeding-edge
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	String found in binary or memory: https://uploads.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/203206778/assets

Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Source: unknown	HTTPS traffic detected: 140.82.121.5:443 -> 192.168.2.4:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.5:443 -> 192.168.2.4:49719 version: TLS 1.2

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: Resource name: EXE type: PE32 executable (console) Intel 80386, for MS Windows
Source: Extended-Training-Mode.exe.0.dr	Static PE information: Resource name: DLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.winEXE@8/5@1/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\bleeding-edge[1].json

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

File created: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode-Launcher.log

Jump to behavior

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	ReversingLabs: Detection: 34%
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Virustotal: Detection: 40%

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	String found in binary or memory: \Extended-Training-Mode-Launcher.log
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	String found in binary or memory: https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/download/bleeding-edge/MBAACC-Extended-Training-Mode-Launcher.
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	String found in binary or memory: @Unknown exceptionbad array new lengthstring too longbad cast\Extended-Training-Mode-Launcher.loglog inited
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	String found in binary or memory: Downloaderhttps://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/download/bleeding-edge/MBAACC-Extended-Training-Mode-Launcher.exefailed to open updated file for writing
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	String found in binary or memory: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\MBAACC-Extended-Training-Mode-Launcher.pdb
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	String found in binary or memory: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\MBAACC-Extended-Training-Mode-Launcher.pdb))

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Process created: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe "C:\Users\user\AppData\Local\Temp\\Extended-Training-Mode.exe"
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Process created: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe "C:\Users\user\AppData\Local\Temp\\Extended-Training-Mode.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Section loaded: msvcp140_atomic_wait.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Static file information: File size 12606976 > 1048576

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xbf1600

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\Extended-Training-Mode-DLL.pdb source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, Extended-Training-Mode-DLL.dll.6.dr, Extended-Training-Mode.exe.0.dr
Source:	Binary string: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\MBAACC-Extended-Training-Mode.pdb source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, Extended-Training-Mode.exe.0.dr
Source:	Binary string: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\MBAACC-Extended-Training-Mode-Launcher.pdb)) source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe
Source:	Binary string: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\MBAACC-Extended-Training-Mode-Launcher.pdb source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: Extended-Training-Mode-DLL.dll.6.dr

Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	File created: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode-DLL.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	File created: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Window / User API: threadDelayed 1446			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 2918			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode-DLL.dll

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe TID: 7984

Thread sleep time: -144600s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301044423.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301044423.000000000185E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301044423.00000000018A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: curl.exe, 00000009.00000003.1332636733.0000000002920000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|\|

Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Code function: 0_2_0071D133 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0071D133

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	34%	ReversingLabs	Win32.Infostealer.Tinba
SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	40%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Extended-Training-Mode-DLL.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	4%	ReversingLabs

Source	Detection	Scanner	Label
https://avatars.githubuserconten	0%	Avira URL Cloud	safe
https://api.gi	0%	Avira URL Cloud	safe
https://api.github.cT	0%	Avira URL Cloud	safe
https://avatars.githubusercontent.c	0%	Avira URL Cloud	safe
https://uploads.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/203206778/assets	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.github.com	140.82.121.5	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edge	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.github.com/users/fangdreth/gists	curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/users/fangdreth/following	curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.githubuserconten	Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/apps/github-actions	bleeding-edge[1].json.0.dr	false		high
https://github.com/fangdreth/MBAACC-Ex	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest:	Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edgeInte	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	false		high
https://api.github.com/users/fangdreth	curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/download/	Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, Extended-Training-Mode.exe, 00000006.00000002.3128017297.0000000000FCD000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, Extended-Training-Mode-DLL.dll.6.dr, Extended-Training-Mode.exe.0.dr	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edges	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301044423.000000000185E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/203206778	bleeding-edge[1].json.0.dr	false		high
https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/download/bleeding-edge/MBAACC-Ex	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, bleeding-edge[1].json.0.dr	false		high
https://api.github.com/users/github-actions%5Bbot%5D/repos	bleeding-edge[1].json.0.dr	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edgew	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301044423.000000000185E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/users/github-actions%5Bbot%5D/orgs	bleeding-edge[1].json.0.dr	false		high
https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/download/v2.0/README.md	curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latestapi.github.com	curl.exe, 00000009.00000003.1332636733.0000000002928000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1333359034.0000000002928000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/users/github-actions%5Bbot%5D/subscriptions	bleeding-edge[1].json.0.dr	false		high
https://api.github.com/users/fangdreth/orgs	curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/assets/233845108	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	false		high
https://api.github.com/users/fangdreth/starred	curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/users/github-actions%5Bbot	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latestT_	curl.exe, 00000009.00000002.1333359034.0000000002910000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/users/github-actions%5Bbot%5D/gists	bleeding-edge[1].json.0.dr	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000003.1293871389.00000000018D4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000003.1293920829.0000000001912000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/users/fangdreth/subscriptions	curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latestWinsta0	curl.exe, 00000009.00000002.1333359034.0000000002910000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1333316600.0000000000820000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edgell	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301044423.000000000185E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/zipball/v2.0	Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/users/github-actions%5Bbot%5D	bleeding-edge[1].json.0.dr	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latestb	Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/users/fangdreth/received_events	curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/users/fangdreth/followers	curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/users/github-actions%5Bbot%5D/following	bleeding-edge[1].json.0.dr	false		high
https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases	Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, Extended-Training-Mode.exe, 00000006.00000002.3128017297.0000000000FCD000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, ConDrv.6.dr, Extended-Training-Mode-DLL.dll.6.dr, Extended-Training-Mode.exe.0.dr	false		high
https://api.gi	Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://api.github.com/users/github-actions%5Bbot%5D/followers	bleeding-edge[1].json.0.dr	false		high
https://api.github.com/users/fangdreth/events	curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/zipball/bleeding-edge	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latesthttps://github.c	Extended-Training-Mode.exe.0.dr	false		high
https://api.github.com/users/github-actions%5Bbot%5D/starred	bleeding-edge[1].json.0.dr	false		high
https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/tag/bleeding-edge	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	false		high
https://api.github.com/users/githuk	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latestcurl	curl.exe, 00000009.00000002.1333359034.0000000002910000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1333316600.0000000000820000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/users/github-actions%5Bbot%5D/events	bleeding-edge[1].json.0.dr	false		high
https://avatars.githubusercontent.com/u/61390904?v=4	curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/users/github-actions%5Bbot%5D/received_events	bleeding-edge[1].json.0.dr	false		high
https://avatars.githubusercontent.com/in/15368?v=4	bleeding-edge[1].json.0.dr	false		high
https://uploads.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/203206778/assets	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	false	Avira URL Cloud: safe	unknown
https://avatars.githubusercontent.c	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.github.com/users/githu	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1300538691.00000000016F8000.00000004.00000010.00020000.00000000.sdmp	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest3	Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/203206778/assets	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/tarball/v2.0	Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/AC	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301044423.00000000018B2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/fangdreth	curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latestC:	Extended-Training-Mode.exe, 00000006.00000003.1338894696.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/users/fangdreth/repos	curl.exe, 00000009.00000003.1332433747.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.0000000002986000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332247365.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332346140.000000000292C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1331829355.000000000299F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1332104114.0000000002986000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/tarball/bleeding-edge	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301793351.0000000001913000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	false		high
https://api.github.com/	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1301044423.00000000018B2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.github.cT	Extended-Training-Mode.exe, 00000006.00000002.3127576584.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
140.82.121.5	api.github.com	United States		36459	GITHUBUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632574
Start date and time:	2025-03-08 11:27:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe
Detection:	MAL
Classification:	mal60.winEXE@8/5@1/2
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10, 20.109.210.53
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Extended-Training-Mode.exe, PID 7980 because there are no executed function
Execution Graph export aborted for target SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, PID 7548 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
140.82.121.5	https://u1.tightlyreporter.shop/sosalkino.mov	Get hash	malicious	Unknown	Browse
	http://kytelink.com	Get hash	malicious	Unknown	Browse
	https://github.com/Tautulli/Tautulli/releases/download/v2.15.1/Tautulli-windows-v2.15.1-x64.exe	Get hash	malicious	Unknown	Browse
	https://github.com/Berusol/Solara-V3/releases/tag/Setup	Get hash	malicious	PureLog Stealer	Browse
	http://get-official-verified-badge-form-one.vercel.app/	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.7131.28226.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Gen.Variant.Lazy.564550.16803.23255.exe	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	DeadBolt	Browse
	https://vinitk1509.github.io/NETFLIX	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.github.com	https://u1.tightlyreporter.shop/sosalkino.mov	Get hash	malicious	Unknown	Browse	140.82.121.6
	https://u1.tightlyreporter.shop/sosalkino.mov	Get hash	malicious	Unknown	Browse	140.82.121.5
	http://kytelink.com	Get hash	malicious	Unknown	Browse	140.82.121.5
	https://github.com/Tautulli/Tautulli/releases/download/v2.15.1/Tautulli-windows-v2.15.1-x64.exe	Get hash	malicious	Unknown	Browse	140.82.121.6
	GUI.for.SingBox.exe	Get hash	malicious	Unknown	Browse	140.82.121.6
	rclone.exe	Get hash	malicious	Unknown	Browse	140.82.121.6
	https://github.com/Berusol/Solara-V3/releases/tag/Setup	Get hash	malicious	PureLog Stealer	Browse	140.82.121.5
	http://get-official-verified-badge-form-one.vercel.app/	Get hash	malicious	Unknown	Browse	140.82.121.5
	asB3nE8eVs	Get hash	malicious	Unknown	Browse	140.82.121.6

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GITHUBUS	combined.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	https://live.dot.vu/p/dholcomb/landing-page-trends-report/	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.121.3
	guard.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	http://debbierhoades.gamerealm24.com/	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.121.3
	https://hod.guedaib.ru/oh9Iwk/	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	140.82.121.4
	https://e4.axshddjc.ru/4k46sET/	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	140.82.116.4
	https://e4.axshddjc.ru/4k46sET/	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	140.82.116.4
	OPwuNqXuHv.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	yjYJ8QncaF.exe	Get hash	malicious	Fallen Miner, Xmrig	Browse	140.82.121.4

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	1.exe	Get hash	malicious	Unknown	Browse	140.82.121.5
	Dropper.exe	Get hash	malicious	AsyncRAT, Trap Stealer, XWorm	Browse	140.82.121.5
	setup.exe	Get hash	malicious	Unknown	Browse	140.82.121.5
	ggetokken.bat	Get hash	malicious	Unknown	Browse	140.82.121.5
	hGlhyegaG6.exe	Get hash	malicious	Unknown	Browse	140.82.121.5
	1.exe	Get hash	malicious	Unknown	Browse	140.82.121.5
	setup.msi	Get hash	malicious	Unknown	Browse	140.82.121.5
	5bf784.msi	Get hash	malicious	Unknown	Browse	140.82.121.5
	34.exe	Get hash	malicious	Unknown	Browse	140.82.121.5
37f463bf4616ecd445d4a1937da06e19	Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Get hash	malicious	LummaC Stealer	Browse	140.82.121.5
	Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Get hash	malicious	LummaC Stealer	Browse	140.82.121.5
	1.exe	Get hash	malicious	Unknown	Browse	140.82.121.5
	1.exe	Get hash	malicious	Unknown	Browse	140.82.121.5
	BWllpq4Tel.exe	Get hash	malicious	GuLoader	Browse	140.82.121.5
	uK5pfobYyD.exe	Get hash	malicious	DarkCloud	Browse	140.82.121.5
	MNLS4PjscF.exe	Get hash	malicious	GuLoader	Browse	140.82.121.5
	MNLS4PjscF.exe	Get hash	malicious	GuLoader	Browse	140.82.121.5
	OW1i3n5K3s.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	140.82.121.5

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3763
Entropy (8bit):	5.136570058070298
Encrypted:	false
SSDEEP:	96:ouCAmQbHOt9LZ6CDC2JgOT4cvKQbHOt9LZ6CDC2Hi1O1Jn:0BVncBHR
MD5:	1C86807B89E53B1FFFF7DA6AAFB7E038
SHA1:	FDCE1540F3AA4187B6F5C9DB8AA441DB193A7865
SHA-256:	570A3ECA33EC97AEF9BEDC2378265F09A711E1F02E3A2D55DFF2163183D411FD
SHA-512:	A4F9B7E2349CE024B9B8C13DD96FBC355A6EDEBA6FC536AF15F01A8C0E6BF29D98C92DE511818D8AACED1D843D139D44040513A049F11A4151FFA84C7162A16F
Malicious:	false
Reputation:	low
Preview:	{"url":"https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/203206778","assets_url":"https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/203206778/assets","upload_url":"https://uploads.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/203206778/assets{?name,label}","html_url":"https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/tag/bleeding-edge","id":203206778,"author":{"login":"github-actions[bot]","id":41898282,"node_id":"MDM6Qm90NDE4OTgyODI=","avatar_url":"https://avatars.githubusercontent.com/in/15368?v=4","gravatar_id":"","url":"https://api.github.com/users/github-actions%5Bbot%5D","html_url":"https://github.com/apps/github-actions","followers_url":"https://api.github.com/users/github-actions%5Bbot%5D/followers","following_url":"https://api.github.com/users/github-actions%5Bbot%5D/following{/other_user}","gists_url":"https://api.github.com/users/github-actions%5Bbot%5D/gists{/gist_id}","starred_ur

C:\Users\user\AppData\Local\Temp\Extended-Training-Mode-DLL.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11091968
Entropy (8bit):	1.345063879261154
Encrypted:	false
SSDEEP:	49152:HiQk777QK94lyaUG+S0R/xYnYAAaz5qQ+ch4A8VN:Hi5TCxZIZ0YAACE
MD5:	87F34FE4C1A4EA48EE3885D1AD0506EE
SHA1:	8A4F49E8DDABF3A13EC61B96570A0427664FC247
SHA-256:	7F38C81F9B5CD86AD0DD1F12389E12120FDC62B9233AC8D8B6280C041265BAE0
SHA-512:	2E898E4B4C71853A9A6F01846BE8FEA96F2312B1D2644CE6D9B7F842F1BF54A26BFD099A6709D93C1B0CEFEAD02DA11058C84FB5603ABB550A29AE4E401B306D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,..nh.p=h.p=h.p=a..=\|.p=...=j.p=y.s<x.p=y.t<b.p=...=i.p=y.u<u.p=y.q<l.p=..q<e.p=h.q=s.p=..s<i.p=..y<e.p=...=i.p=h..=i.p=..r<i.p=Richh.p=................PE..L......g...........!...+.j...v.......*....................................................@..................................q..\|........p..............................p...........................@...@...............X............................text....i.......j.................. ..`.rdata...............n..............@..@.data................\|..............@..._RDATA...&...P...(..................@..@.rsrc....p.......r..................@..@.reloc...............2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Extended-Training-Mode-Launcher.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.580003595441615
Encrypted:	false
SSDEEP:	3:RMkArWgzAfu2lGOvGKROUu2lHtQmGJePZFUEEZa:RwrFAm2lGR2lHytSZFUEEA
MD5:	E3EED6966DCA3628B6F2CDC30E526597
SHA1:	85B4EF9867BF5C6D3B34816C69A01BBE2911D75C
SHA-256:	DE2BDE8A02FA3B1643724B80E8329BEBAD9705E7FE43AAB38975B2E59D2D464E
SHA-512:	497CABCC3F57D12EB0164CEA3B88BD3471F780E517959E16F6225B20D355EF202AF35D4741B798B5FDCC72EB3B33E3084B3737A1A5581B684D9C7031C8AE3E04
Malicious:	false
Reputation:	low
Preview:	log inited..release time: 1740918034..compile time: 1740918029..no update needed..exiting gracefully....

C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12521984
Entropy (8bit):	1.809668192566949
Encrypted:	false
SSDEEP:	49152:2haWdI61MiQk777QK94lyaUG+S0R/xYnYAAaz5qQ+ch4A8VNWdl:20WdI3i5TCxZIZ0YAACE
MD5:	D1B0632E0B415DADA059CD8917FF9096
SHA1:	138671DD6E05F6FEEED840449050687A393B66CB
SHA-256:	7FB1A410AA73AD6B9E761BD3AD2910ABFF6D0FF3596DB412BFDDF09184F0C226
SHA-512:	AD88229E70E2830E23D6F15F4592A8EE1F0A86C02872B0DAB24A692F9DB1D847E4CCC2280076CB4CD5C6F97ECA71F3FCDC9A0B44612859369B8B742B0E804B12
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........B.`z..`z..`z......`z...y..`z...~..`z......`z......`z...{..`z...{..`z..`{..az...s..`z.....`z..`...`z...x..`z.Rich.`z.........PE..L......g...............+............?.............@.......................................@.....................................\|.......0B...................P..d...._..p...........................0_..@...............p............................text............................... ..`.rdata...&.......(..................@..@.data............P..................@....rsrc...0B.......D...<..............@..@.reloc..d....P......................@..B........................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe
File Type:	ASCII text, with CRLF line terminators, with escape sequences
Category:	dropped
Size (bytes):	748609
Entropy (8bit):	3.499873853748294
Encrypted:	false
SSDEEP:	1536:8mmmmammmmmmmjmmmmmmmm8mmmmmmmm0mmmmmmmJmmmmmmOmmmmmmmSmmmmmmmzH:n
MD5:	E87722538AB06182BD31B83C9EF68848
SHA1:	C6BCB13F85C3ECE0A52A05AA3590BE1736EF45CE
SHA-256:	5C4B5B5DB4B6A344E59A837190870E678508F450832E746CA7D7AB731F957856
SHA-512:	8DEA85B934347046F51C00B471C820E82394C2247067C2D17D2D596C849771DE07DBC6DA07AAF56FA524BF423E3AE9D487369E8D0421D6D63C269427637146A1
Malicious:	false
Preview:	.]0;Extended Training v2.1.===========================================================================.[K..\| Fang, gonp, and meepster99(Inana)'s Extended Training Mode Mod v2.1 \|.[K..\| \|.[K..\| https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases \|.[K..\| \|.[K..===========================================================================.[K...[KLooking for MBAA.exe... .[K.[J===========================================================================.[K..\| Fang, gonp, and meepster99(Inana)'s Extended Training Mode Mod v2.1 \|.[K..\| \|.[K..\| https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases \|.[K..\| \|.[K..========================================================

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	1.8533786120072568
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe
File size:	12'606'976 bytes
MD5:	4864dd1c69d3fa10d608c2483be1219a
SHA1:	7cf739e0812972172cb321335aeb33cc527f08aa
SHA256:	a56fc16a195fe09b8a210ce413f2519b52a13acc3709ce1528e616da0037506f
SHA512:	f8710bdfa0a31a9958d957281d09c95a0af2238bb032ae19c506be1383a571544b92203d743eedb26162e6a988ff23d3972d6ad3b571fca18f0a2c85cb97cb53
SSDEEP:	49152:ibahaWdI61MiQk777QK94lyaUG+S0R/xYnYAAaz5qQ+ch4A8VNWdl:30WdI3i5TCxZIZ0YAACE
TLSH:	0BC65BD17302C4B6E18997F9F51DFBEA4228343A57E08CD3BAC1DF626A112CA5675F02
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}..'9.it9.it9.it0..t7.it(.ju;.it(.mu5.it(.lu".it(.hu=.itM.hu<.it9.ht..it..`u;.it...t8.it9..t8.it..ku8.itRich9.it........PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40cb72
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67C406C0 [Sun Mar 2 07:20:32 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	fec1b6a1f14ba582cb850c0df25a9440

Entrypoint Preview

Instruction
call 00007F9801223A2Eh
jmp 00007F980122329Fh
push ebp
mov ebp, esp
and dword ptr [004158C0h], 00000000h
sub esp, 28h
or dword ptr [00415008h], 01h
push 0000000Ah
call dword ptr [0040E03Ch]
test eax, eax
je 00007F980122372Bh
push ebx
push esi
push edi
xor eax, eax
lea edi, dword ptr [ebp-28h]
xor ecx, ecx
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-28h]
mov edi, dword ptr [ebp-24h]
mov dword ptr [ebp-04h], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-1Ch]
xor eax, 49656E69h
mov dword ptr [ebp-18h], eax
mov eax, dword ptr [ebp-20h]
xor eax, 6C65746Eh
mov dword ptr [ebp-14h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
nop
lea ebx, dword ptr [ebp-28h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-18h]
or eax, dword ptr [ebp-14h]
or eax, edi
mov dword ptr [ebx+04h], esi
mov dword ptr [ebx+08h], ecx
mov dword ptr [ebx+0Ch], edx
jne 00007F980122345Bh
mov eax, dword ptr [ebp-28h]
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007F9801223445h
cmp eax, 00020660h
je 00007F980122343Eh
cmp eax, 00020670h
je 00007F9801223437h
cmp eax, 00030650h
je 00007F9801223430h
cmp eax, 00030660h
je 00007F9801223429h
cmp eax, 00030670h
jne 00007F9801223429h
or dword ptr [000000C4h], 00000000h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1288c	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0xbf1430	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc08000	0xaf4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x112d8	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x11218	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xcf47	0xd000	927b54b3fc83b0a3611a25212c36d31f	False	0.5348745492788461	data	6.5122549354551245	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x6134	0x6200	9c635844891549b437249de0ddc4c09c	False	0.27841996173469385	data	5.351173852622964	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x15000	0x938	0x600	c29096c00a15f63102686cdf80492068	False	0.24153645833333334	data	4.085658188114203	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x16000	0xbf1430	0xbf1600	db4567eb8230c465347c2868bdfb7998	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc08000	0xaf4	0xc00	175bafe0b41ac8c3621ad94b453f6a95	False	0.76953125	data	6.27701941807933	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
EXE	0x160b0	0xbf1200	PE32 executable (console) Intel 80386, for MS Windows	English	United States	0.29232120513916016
RT_MANIFEST	0xc072b0	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	SizeofResource, OutputDebugStringA, GetModuleFileNameW, GetTempPathW, GetLastError, LockResource, DeleteFileW, LoadResource, FindResourceW, CreateProcessW, GetModuleHandleW, MoveFileW, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, UnhandledExceptionFilter
MSVCP140.dll	?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z, ?id@?$ctype@D@std@@2V0locale@2@A, ?_Xlength_error@std@@YAXPBD@Z, ?id@?$collate@D@std@@2V0locale@2@A, _Strcoll, ?_Getcat@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ?get@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QBE?AV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@V32@0AAVios_base@2@AAHPAUtm@@PBD4@Z, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001@Z, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?id@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ, ?getloc@ios_base@std@@QBE?AVlocale@2@XZ, ?good@ios_base@std@@QBE_NXZ, ??Bios_base@std@@QBE_NXZ, ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ?tolower@?$ctype@D@std@@QBEPBDPADPBD@Z, ?tolower@?$ctype@D@std@@QBEDD@Z, ?always_noconv@codecvt_base@std@@QBE_NXZ, ??1facet@locale@std@@MAE@XZ, ??0facet@locale@std@@IAE@I@Z, ?_Decref@facet@locale@std@@UAEPAV_Facet_base@3@XZ, ?_Incref@facet@locale@std@@UAEXXZ, ?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ, ??1_Locinfo@std@@QAE@XZ, ??0_Locinfo@std@@QAE@PBD@Z, ?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z, ?_Xout_of_range@std@@YAXPBD@Z, ?_Id_cnt@id@locale@std@@0HA, ?_Xbad_alloc@std@@YAXXZ, ?uncaught_exception@std@@YA_NXZ, ?_Init@locale@std@@CAPAV_Locimp@12@_N@Z, ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ, ??0_Lockit@std@@QAE@H@Z, ??1_Lockit@std@@QAE@XZ, _Strxfrm, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
WININET.dll	InternetCloseHandle, InternetReadFile, InternetOpenW, InternetOpenUrlW
VCRUNTIME140.dll	_CxxThrowException, __current_exception, __current_exception_context, _except_handler4_common, memset, memcpy, __CxxFrameHandler3, __std_exception_destroy, __std_exception_copy, __std_terminate, strchr, memmove
api-ms-win-crt-stdio-l1-1-0.dll	_set_fmode, fwrite, __stdio_common_vsprintf, __stdio_common_vfprintf, __p__commode, _get_stream_buffer_pointers, _fseeki64, fread, fclose, fflush, __acrt_iob_func, fsetpos, fputc, ungetc, setvbuf, fgetpos, fgetc
api-ms-win-crt-heap-l1-1-0.dll	realloc, _callnewh, free, _set_new_mode, malloc
api-ms-win-crt-time-l1-1-0.dll	_mktime64
api-ms-win-crt-filesystem-l1-1-0.dll	_unlock_file, _lock_file
api-ms-win-crt-runtime-l1-1-0.dll	_configure_narrow_argv, _initialize_narrow_environment, _get_narrow_winmain_command_line, _set_app_type, _seh_filter_exe, exit, _exit, _invalid_parameter_noinfo_noreturn, _cexit, _c_exit, _register_thread_local_exe_atexit_callback, _initterm, _initterm_e, terminate, _initialize_onexit_table, _register_onexit_function, _crt_atexit, _controlfp_s
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 30
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 8, 2025 11:28:45.537193060 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:45.537251949 CET	443	49715	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:45.537379980 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:45.552481890 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:45.552500963 CET	443	49715	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:47.593972921 CET	443	49715	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:47.594134092 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:47.654829025 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:47.654861927 CET	443	49715	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:47.655941963 CET	443	49715	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:47.656097889 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:47.660037994 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:47.700438023 CET	443	49715	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:48.358340025 CET	443	49715	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:48.358587027 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:48.358603001 CET	443	49715	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:48.358648062 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:48.377917051 CET	443	49715	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:48.378027916 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:48.378076077 CET	443	49715	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:48.378118038 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:48.378190994 CET	443	49715	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:48.378262043 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:48.378269911 CET	443	49715	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:48.378307104 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:48.378323078 CET	443	49715	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:48.378326893 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:48.378349066 CET	443	49715	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:48.378355026 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:48.378385067 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:48.378408909 CET	49715	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:49.464601040 CET	49719	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:49.464638948 CET	443	49719	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:49.465010881 CET	49719	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:49.473433971 CET	49719	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:49.473454952 CET	443	49719	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:51.423677921 CET	443	49719	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:51.423772097 CET	49719	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:51.425441980 CET	49719	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:51.425456047 CET	443	49719	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:51.426323891 CET	443	49719	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:51.429794073 CET	49719	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:51.472332001 CET	443	49719	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:52.156394005 CET	443	49719	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:52.169991016 CET	443	49719	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:52.170049906 CET	443	49719	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:52.170067072 CET	49719	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:52.170089006 CET	443	49719	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:52.170130968 CET	49719	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:52.170140028 CET	443	49719	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:52.173880100 CET	443	49719	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:52.173953056 CET	49719	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:52.173962116 CET	443	49719	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:52.180516958 CET	443	49719	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:52.180608988 CET	49719	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:52.180617094 CET	443	49719	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:52.180638075 CET	443	49719	140.82.121.5	192.168.2.4
Mar 8, 2025 11:28:52.180706024 CET	49719	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:52.208219051 CET	49719	443	192.168.2.4	140.82.121.5
Mar 8, 2025 11:28:52.208246946 CET	443	49719	140.82.121.5	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 8, 2025 11:28:45.487421989 CET	63542	53	192.168.2.4	1.1.1.1
Mar 8, 2025 11:28:45.495441914 CET	53	63542	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 8, 2025 11:28:45.487421989 CET	192.168.2.4	1.1.1.1	0x3a70	Standard query (0)	api.github.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 8, 2025 11:28:45.495441914 CET	1.1.1.1	192.168.2.4	0x3a70	No error (0)	api.github.com		140.82.121.5	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.github.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49715	140.82.121.5	443	7548	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-08 10:28:47 UTC	161	OUT	GET /repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edge HTTP/1.1 User-Agent: GitHubAPI Host: api.github.com Cache-Control: no-cache
2025-03-08 10:28:48 UTC	1308	IN	HTTP/1.1 200 OK Date: Sat, 08 Mar 2025 10:28:48 GMT Content-Type: application/json; charset=utf-8 Cache-Control: public, max-age=60, s-maxage=60 Vary: Accept,Accept-Encoding, Accept, X-Requested-With ETag: W/"570a3eca33ec97aef9bedc2378265f09a711e1f02e3a2d55dff2163183d411fd" Last-Modified: Sun, 02 Mar 2025 07:20:35 GMT X-GitHub-Media-Type: github.v3; format=json x-github-api-version-selected: 2022-11-28 Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset Access-Control-Allow-Origin: * Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin Content-Security-Policy: default-src 'none' Server: github.com Accept-Ranges: bytes X-RateLimit-Limit: 60 X-RateLimit-Remaining: 57 X-RateLimit-Reset: 1741432772 X-RateLimit-Resource: core X-RateLimit-Used: 3 Content-Length: 3763 X-GitHub-Request-Id: B6EC:2904DB:7F8983E:8378F9B:67CC1BDF connection: close
2025-03-08 10:28:48 UTC	62	IN	Data Raw: 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 72 65 70 6f 73 2f 66 61 6e 67 64 72 65 74 68 2f 4d 42 41 41 43 43 2d 45 78 74 65 6e 64 65 64 Data Ascii: {"url":"https://api.github.com/repos/fangdreth/MBAACC-Extended
2025-03-08 10:28:48 UTC	1370	IN	Data Raw: 2d 54 72 61 69 6e 69 6e 67 2d 4d 6f 64 65 2f 72 65 6c 65 61 73 65 73 2f 32 30 33 32 30 36 37 37 38 22 2c 22 61 73 73 65 74 73 5f 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 72 65 70 6f 73 2f 66 61 6e 67 64 72 65 74 68 2f 4d 42 41 41 43 43 2d 45 78 74 65 6e 64 65 64 2d 54 72 61 69 6e 69 6e 67 2d 4d 6f 64 65 2f 72 65 6c 65 61 73 65 73 2f 32 30 33 32 30 36 37 37 38 2f 61 73 73 65 74 73 22 2c 22 75 70 6c 6f 61 64 5f 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 72 65 70 6f 73 2f 66 61 6e 67 64 72 65 74 68 2f 4d 42 41 41 43 43 2d 45 78 74 65 6e 64 65 64 2d 54 72 61 69 6e 69 6e 67 2d 4d 6f 64 65 2f 72 65 6c 65 61 73 65 73 2f 32 30 33 32 30 36 37 37 38 2f 61 73 73 65 Data Ascii: -Training-Mode/releases/203206778","assets_url":"https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/203206778/assets","upload_url":"https://uploads.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/203206778/asse
2025-03-08 10:28:48 UTC	1370	IN	Data Raw: 74 74 70 73 3a 2f 2f 61 70 69 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 75 73 65 72 73 2f 67 69 74 68 75 62 2d 61 63 74 69 6f 6e 73 25 35 42 62 6f 74 25 35 44 2f 72 65 63 65 69 76 65 64 5f 65 76 65 6e 74 73 22 2c 22 74 79 70 65 22 3a 22 42 6f 74 22 2c 22 75 73 65 72 5f 76 69 65 77 5f 74 79 70 65 22 3a 22 70 75 62 6c 69 63 22 2c 22 73 69 74 65 5f 61 64 6d 69 6e 22 3a 66 61 6c 73 65 7d 2c 22 6e 6f 64 65 5f 69 64 22 3a 22 52 45 5f 6b 77 44 4f 4c 75 46 33 56 63 34 4d 48 4c 42 36 22 2c 22 74 61 67 5f 6e 61 6d 65 22 3a 22 62 6c 65 65 64 69 6e 67 2d 65 64 67 65 22 2c 22 74 61 72 67 65 74 5f 63 6f 6d 6d 69 74 69 73 68 22 3a 22 6d 61 69 6e 22 2c 22 6e 61 6d 65 22 3a 22 42 6c 65 65 64 69 6e 67 20 45 64 67 65 22 2c 22 64 72 61 66 74 22 3a 66 61 6c 73 65 2c 22 70 72 65 72 Data Ascii: ttps://api.github.com/users/github-actions%5Bbot%5D/received_events","type":"Bot","user_view_type":"public","site_admin":false},"node_id":"RE_kwDOLuF3Vc4MHLB6","tag_name":"bleeding-edge","target_commitish":"main","name":"Bleeding Edge","draft":false,"prer
2025-03-08 10:28:48 UTC	961	IN	Data Raw: 22 72 65 70 6f 73 5f 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 75 73 65 72 73 2f 67 69 74 68 75 62 2d 61 63 74 69 6f 6e 73 25 35 42 62 6f 74 25 35 44 2f 72 65 70 6f 73 22 2c 22 65 76 65 6e 74 73 5f 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 75 73 65 72 73 2f 67 69 74 68 75 62 2d 61 63 74 69 6f 6e 73 25 35 42 62 6f 74 25 35 44 2f 65 76 65 6e 74 73 7b 2f 70 72 69 76 61 63 79 7d 22 2c 22 72 65 63 65 69 76 65 64 5f 65 76 65 6e 74 73 5f 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 75 73 65 72 73 2f 67 69 74 68 75 62 2d 61 63 74 69 6f 6e 73 25 35 42 62 6f 74 25 35 44 2f 72 65 63 65 69 76 65 64 5f 65 76 65 6e 74 73 22 2c 22 74 79 70 Data Ascii: "repos_url":"https://api.github.com/users/github-actions%5Bbot%5D/repos","events_url":"https://api.github.com/users/github-actions%5Bbot%5D/events{/privacy}","received_events_url":"https://api.github.com/users/github-actions%5Bbot%5D/received_events","typ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49719	140.82.121.5	443	8056	C:\Windows\SysWOW64\curl.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-08 10:28:51 UTC	139	OUT	GET /repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest HTTP/1.1 Host: api.github.com User-Agent: curl/7.83.1 Accept: /
2025-03-08 10:28:52 UTC	1308	IN	HTTP/1.1 200 OK Date: Sat, 08 Mar 2025 10:28:51 GMT Content-Type: application/json; charset=utf-8 Cache-Control: public, max-age=60, s-maxage=60 Vary: Accept,Accept-Encoding, Accept, X-Requested-With ETag: W/"f45619b92d3471966920c43de4f9d09cecf5dc3b126dc145ab7ef1aa6c8c9aab" Last-Modified: Sat, 05 Oct 2024 19:18:19 GMT X-GitHub-Media-Type: github.v3; format=json x-github-api-version-selected: 2022-11-28 Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset Access-Control-Allow-Origin: * Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin Content-Security-Policy: default-src 'none' Server: github.com Accept-Ranges: bytes X-RateLimit-Limit: 60 X-RateLimit-Remaining: 56 X-RateLimit-Reset: 1741432772 X-RateLimit-Resource: core X-RateLimit-Used: 4 Content-Length: 9473 X-GitHub-Request-Id: B6F4:1C8C98:7469228:7858406:67CC1BE3 connection: close
2025-03-08 10:28:52 UTC	62	IN	Data Raw: 7b 0a 20 20 22 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 72 65 70 6f 73 2f 66 61 6e 67 64 72 65 74 68 2f 4d 42 41 41 43 43 2d 45 78 74 65 Data Ascii: { "url": "https://api.github.com/repos/fangdreth/MBAACC-Exte
2025-03-08 10:28:52 UTC	1370	IN	Data Raw: 6e 64 65 64 2d 54 72 61 69 6e 69 6e 67 2d 4d 6f 64 65 2f 72 65 6c 65 61 73 65 73 2f 31 37 38 35 33 34 37 38 30 22 2c 0a 20 20 22 61 73 73 65 74 73 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 72 65 70 6f 73 2f 66 61 6e 67 64 72 65 74 68 2f 4d 42 41 41 43 43 2d 45 78 74 65 6e 64 65 64 2d 54 72 61 69 6e 69 6e 67 2d 4d 6f 64 65 2f 72 65 6c 65 61 73 65 73 2f 31 37 38 35 33 34 37 38 30 2f 61 73 73 65 74 73 22 2c 0a 20 20 22 75 70 6c 6f 61 64 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 72 65 70 6f 73 2f 66 61 6e 67 64 72 65 74 68 2f 4d 42 41 41 43 43 2d 45 78 74 65 6e 64 65 64 2d 54 72 61 69 6e 69 6e 67 2d 4d 6f 64 65 2f 72 65 6c 65 61 73 65 73 2f 31 37 Data Ascii: nded-Training-Mode/releases/178534780", "assets_url": "https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/178534780/assets", "upload_url": "https://uploads.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/17
2025-03-08 10:28:52 UTC	1370	IN	Data Raw: 72 65 74 68 2f 72 65 63 65 69 76 65 64 5f 65 76 65 6e 74 73 22 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 55 73 65 72 22 2c 0a 20 20 20 20 22 75 73 65 72 5f 76 69 65 77 5f 74 79 70 65 22 3a 20 22 70 75 62 6c 69 63 22 2c 0a 20 20 20 20 22 73 69 74 65 5f 61 64 6d 69 6e 22 3a 20 66 61 6c 73 65 0a 20 20 7d 2c 0a 20 20 22 6e 6f 64 65 5f 69 64 22 3a 20 22 52 45 5f 6b 77 44 4f 4c 75 46 33 56 63 34 4b 70 44 6c 38 22 2c 0a 20 20 22 74 61 67 5f 6e 61 6d 65 22 3a 20 22 76 32 2e 30 22 2c 0a 20 20 22 74 61 72 67 65 74 5f 63 6f 6d 6d 69 74 69 73 68 22 3a 20 22 6d 61 69 6e 22 2c 0a 20 20 22 6e 61 6d 65 22 3a 20 22 76 32 2e 30 22 2c 0a 20 20 22 64 72 61 66 74 22 3a 20 66 61 6c 73 65 2c 0a 20 20 22 70 72 65 72 65 6c 65 61 73 65 22 3a 20 66 61 6c 73 65 2c 0a 20 20 22 63 Data Ascii: reth/received_events", "type": "User", "user_view_type": "public", "site_admin": false }, "node_id": "RE_kwDOLuF3Vc4KpDl8", "tag_name": "v2.0", "target_commitish": "main", "name": "v2.0", "draft": false, "prerelease": false, "c
2025-03-08 10:28:52 UTC	1370	IN	Data Raw: 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 75 73 65 72 73 2f 66 61 6e 67 64 72 65 74 68 2f 6f 72 67 73 22 2c 0a 20 20 20 20 20 20 20 20 22 72 65 70 6f 73 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 75 73 65 72 73 2f 66 61 6e 67 64 72 65 74 68 2f 72 65 70 6f 73 22 2c 0a 20 20 20 20 20 20 20 20 22 65 76 65 6e 74 73 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 75 73 65 72 73 2f 66 61 6e 67 64 72 65 74 68 2f 65 76 65 6e 74 73 7b 2f 70 72 69 76 61 63 79 7d 22 2c 0a 20 20 20 20 20 20 20 20 22 72 65 63 65 69 76 65 64 5f 65 76 65 6e 74 73 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: rl": "https://api.github.com/users/fangdreth/orgs", "repos_url": "https://api.github.com/users/fangdreth/repos", "events_url": "https://api.github.com/users/fangdreth/events{/privacy}", "received_events_url": "https://api.github.co
2025-03-08 10:28:52 UTC	1370	IN	Data Raw: 70 73 3a 2f 2f 61 70 69 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 75 73 65 72 73 2f 66 61 6e 67 64 72 65 74 68 2f 66 6f 6c 6c 6f 77 65 72 73 22 2c 0a 20 20 20 20 20 20 20 20 22 66 6f 6c 6c 6f 77 69 6e 67 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 75 73 65 72 73 2f 66 61 6e 67 64 72 65 74 68 2f 66 6f 6c 6c 6f 77 69 6e 67 7b 2f 6f 74 68 65 72 5f 75 73 65 72 7d 22 2c 0a 20 20 20 20 20 20 20 20 22 67 69 73 74 73 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 75 73 65 72 73 2f 66 61 6e 67 64 72 65 74 68 2f 67 69 73 74 73 7b 2f 67 69 73 74 5f 69 64 7d 22 2c 0a 20 20 20 20 20 20 20 20 22 73 74 61 72 72 65 64 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 67 69 Data Ascii: ps://api.github.com/users/fangdreth/followers", "following_url": "https://api.github.com/users/fangdreth/following{/other_user}", "gists_url": "https://api.github.com/users/fangdreth/gists{/gist_id}", "starred_url": "https://api.gi
2025-03-08 10:28:52 UTC	1370	IN	Data Raw: 52 45 41 44 4d 45 2e 6d 64 22 2c 0a 20 20 20 20 20 20 22 6c 61 62 65 6c 22 3a 20 6e 75 6c 6c 2c 0a 20 20 20 20 20 20 22 75 70 6c 6f 61 64 65 72 22 3a 20 7b 0a 20 20 20 20 20 20 20 20 22 6c 6f 67 69 6e 22 3a 20 22 66 61 6e 67 64 72 65 74 68 22 2c 0a 20 20 20 20 20 20 20 20 22 69 64 22 3a 20 36 31 33 39 30 39 30 34 2c 0a 20 20 20 20 20 20 20 20 22 6e 6f 64 65 5f 69 64 22 3a 20 22 4d 44 51 36 56 58 4e 6c 63 6a 59 78 4d 7a 6b 77 4f 54 41 30 22 2c 0a 20 20 20 20 20 20 20 20 22 61 76 61 74 61 72 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 61 76 61 74 61 72 73 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 75 2f 36 31 33 39 30 39 30 34 3f 76 3d 34 22 2c 0a 20 20 20 20 20 20 20 20 22 67 72 61 76 61 74 61 72 5f 69 64 22 3a 20 22 22 2c 0a Data Ascii: README.md", "label": null, "uploader": { "login": "fangdreth", "id": 61390904, "node_id": "MDQ6VXNlcjYxMzkwOTA0", "avatar_url": "https://avatars.githubusercontent.com/u/61390904?v=4", "gravatar_id": "",
2025-03-08 10:28:52 UTC	1370	IN	Data Raw: 20 22 75 70 64 61 74 65 64 5f 61 74 22 3a 20 22 32 30 32 34 2d 31 30 2d 30 35 54 31 38 3a 35 30 3a 32 33 5a 22 2c 0a 20 20 20 20 20 20 22 62 72 6f 77 73 65 72 5f 64 6f 77 6e 6c 6f 61 64 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 66 61 6e 67 64 72 65 74 68 2f 4d 42 41 41 43 43 2d 45 78 74 65 6e 64 65 64 2d 54 72 61 69 6e 69 6e 67 2d 4d 6f 64 65 2f 72 65 6c 65 61 73 65 73 2f 64 6f 77 6e 6c 6f 61 64 2f 76 32 2e 30 2f 52 45 41 44 4d 45 2e 6d 64 22 0a 20 20 20 20 7d 0a 20 20 5d 2c 0a 20 20 22 74 61 72 62 61 6c 6c 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 72 65 70 6f 73 2f 66 61 6e 67 64 72 65 74 68 2f 4d 42 41 41 43 43 2d 45 78 74 65 6e 64 65 64 2d 54 72 61 69 6e 69 6e 67 Data Ascii: "updated_at": "2024-10-05T18:50:23Z", "browser_download_url": "https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/download/v2.0/README.md" } ], "tarball_url": "https://api.github.com/repos/fangdreth/MBAACC-Extended-Training
2025-03-08 10:28:52 UTC	623	IN	Data Raw: 74 6b 65 79 5c 72 5c 6e 5c 72 5c 6e 2b 20 4d 6f 72 65 20 66 65 61 74 75 72 65 73 20 74 6f 20 45 6e 65 6d 79 20 52 65 76 65 72 73 61 6c 73 5c 72 5c 6e 20 20 2b 20 43 61 6e 20 62 65 20 74 75 72 6e 65 64 20 6f 66 66 20 77 69 74 68 6f 75 74 20 73 65 74 74 69 6e 67 20 65 76 65 72 79 74 68 69 6e 67 20 74 6f 20 4e 4f 4e 45 5c 72 5c 6e 20 20 2b 20 52 65 76 65 72 73 61 6c 20 6f 75 74 20 6f 66 20 73 68 69 65 6c 64 5c 72 5c 6e 20 20 2b 20 52 65 76 65 72 73 61 6c 20 77 69 74 68 20 61 20 68 6f 74 6b 65 79 5c 72 5c 6e 5c 72 5c 6e 2b 20 43 75 73 74 6f 6d 20 52 4e 47 20 43 6f 6e 74 72 6f 6c 73 5c 72 5c 6e 20 20 2b 20 50 69 63 6b 20 61 20 63 75 73 74 6f 6d 20 53 65 65 64 20 6f 72 20 61 20 73 70 65 63 69 66 69 63 20 52 4e 47 20 76 61 6c 75 65 5c 72 5c 6e 20 20 2b 20 43 61 Data Ascii: tkey\r\n\r\n+ More features to Enemy Reversals\r\n + Can be turned off without setting everything to NONE\r\n + Reversal out of shield\r\n + Reversal with a hotkey\r\n\r\n+ Custom RNG Controls\r\n + Pick a custom Seed or a specific RNG value\r\n + Ca
2025-03-08 10:28:52 UTC	568	IN	Data Raw: 6f 6c 69 64 20 63 6f 6c 6f 72 2e 20 20 55 73 65 66 75 6c 20 66 6f 72 20 63 68 72 6f 6d 61 20 6b 65 79 69 6e 67 5c 72 5c 6e 20 20 2b 20 44 69 73 61 62 6c 65 20 73 68 61 64 6f 77 73 5c 72 5c 6e 5c 72 5c 6e 2b 20 54 72 61 69 6e 69 6e 67 20 44 69 73 70 6c 61 79 5c 72 5c 6e 20 20 2b 20 49 6d 70 72 6f 76 65 64 20 74 68 65 20 61 63 63 75 72 61 63 79 20 6f 66 20 6d 65 74 65 72 20 62 75 69 6c 74 20 64 75 72 69 6e 67 20 61 20 63 6f 6d 62 6f 5c 72 5c 6e 5c 72 5c 6e 2b 20 4d 6f 72 65 20 63 68 61 72 61 63 74 65 72 20 73 70 65 63 69 66 69 63 20 63 6f 6e 74 72 6f 6c 73 5c 72 5c 6e 20 20 2b 20 46 4d 61 69 64 73 20 48 65 61 72 74 73 5c 72 5c 6e 20 20 2b 20 52 79 6f 75 67 69 20 4b 6e 69 66 65 5c 72 5c 6e 5c 72 5c 6e 2b 20 45 74 20 63 65 74 65 72 61 5c 72 5c 6e 20 20 2b 20 Data Ascii: olid color. Useful for chroma keying\r\n + Disable shadows\r\n\r\n+ Training Display\r\n + Improved the accuracy of meter built during a combo\r\n\r\n+ More character specific controls\r\n + FMaids Hearts\r\n + Ryougi Knife\r\n\r\n+ Et cetera\r\n +

Statistics

CPU Usage

• SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe
• Extended-Training-Mode.exe
• conhost.exe
• cmd.exe
• curl.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe
• Extended-Training-Mode.exe
• conhost.exe
• cmd.exe
• curl.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe
• Extended-Training-Mode.exe
• conhost.exe
• cmd.exe
• curl.exe

Click to jump to process

Target ID:	0
Start time:	05:28:44
Start date:	08/03/2025
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe"
Imagebase:	0x710000
File size:	12'606'976 bytes
MD5 hash:	4864DD1C69D3FA10D608C2483BE1219A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:28:47
Start date:	08/03/2025
Path:	C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\\Extended-Training-Mode.exe"
Imagebase:	0xf30000
File size:	12'521'984 bytes
MD5 hash:	D1B0632E0B415DADA059CD8917FF9096
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	05:28:47
Start date:	08/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	05:28:48
Start date:	08/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:28:48
Start date:	08/03/2025
Path:	C:\Windows\SysWOW64\curl.exe
Wow64 process (32bit):	true
Commandline:	curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest
Imagebase:	0x850000
File size:	470'528 bytes
MD5 hash:	44E5BAEEE864F1E9EDBE3986246AB37A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 0071D133 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0071D145
GetCurrentThreadId.KERNEL32 ref: 0071D154
GetCurrentProcessId.KERNEL32 ref: 0071D15D
QueryPerformanceCounter.KERNEL32(?), ref: 0071D16A

Memory Dump Source

Source File: 00000000.00000002.1298533227.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1298513992.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298556708.000000000071E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298581777.0000000000725000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298600991.0000000000726000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298600991.0000000000879000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1298600991.00000000012B1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_SecuriteInfo.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: ac8187eb9dbf13ad60949d67e13fd03365dd53fc86d24130ce17572ae093ad6e
Instruction ID: 144abe3488332e796dc55b6644193271f9e8440d0bb810459b5cbce83a4d8854
Opcode Fuzzy Hash: ac8187eb9dbf13ad60949d67e13fd03365dd53fc86d24130ce17572ae093ad6e
Instruction Fuzzy Hash: 52F0A470C0020CEBCB00DBB4C6489CEB7F4EF1C200B618995E812E6150E678A7448B51

Analysis Process: Extended-Training-Mode.exePID: 7980, Parent PID: 7548COMMON

Non-executed Functions

Function 00FC084D Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00FC085F
GetCurrentThreadId.KERNEL32 ref: 00FC086E
GetCurrentProcessId.KERNEL32 ref: 00FC0877
QueryPerformanceCounter.KERNEL32(?), ref: 00FC0884

Memory Dump Source

Source File: 00000006.00000002.3127887499.0000000000F31000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000006.00000002.3127844563.0000000000F30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.3128017297.0000000000FCD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.3128101482.0000000001000000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.3128160129.0000000001084000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.3128160129.00000000010CE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.3128240476.00000000010D0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.3128240476.0000000001B07000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f30000_Extended-Training-Mode.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 63c19ac3691d4c0e76940e45655c321cd8b4d77ec7729dcbd09e24d7ececc9e9
Instruction ID: f87041f696bcc67ac66d25a1d36a848c4d36ea4707eaad8b2e7166930031d6fc
Opcode Fuzzy Hash: 63c19ac3691d4c0e76940e45655c321cd8b4d77ec7729dcbd09e24d7ececc9e9
Instruction Fuzzy Hash: 8DF06274D5020DEBCB00DBB8DA4999EBBF4FF1C204F9145A5E412F7114E730AB499B50

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\bleeding-edge[1].json

C:\Users\user\AppData\Local\Temp\Extended-Training-Mode-DLL.dll

C:\Users\user\AppData\Local\Temp\Extended-Training-Mode-Launcher.log

C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe