← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
CAPE Sandbox - zbetcheckintracker 12/6/2024
WHITE msudosos 2026-04-30 Modified: 2026-05-30
430
IOCs
HIGH VOLUME
VT Comments •"#zbetcheckin tracker Downloaded on 2024-12-06 05:54:14 UTC SRC URL : https://nuo-stems.fra1.cdn.digitaloceanspaces.com/NUO-STEMS-3-3.1.0-beta.3.exe IP : 104.18.42.227 AS : AS13335 Cloudflare, Inc. YARA : #debuggerpattern__cpuid #ft_exe #debuggertiming__ticks #ip #hasrichsignature #ispacked #mz_executable #screenshot #create_process #crc32_poly_constant #win_registry #hasoverlay #maldoc_suspicious_strings #math_entropy_close_8 #escalate_priv #debuggerpattern__rdtsc #executable_pe #ispe32 #url #win_files_operation #contains_pe_file #embedded_pe #isexecutable #win_token #iswindowsgui #maldoc_function_prolog_signature #contentis_base64"
defaultinprocserver32parent pidfull pathcommand lineusername eqimagenameshell dlgc tasklistusernamewindows sandboxclear filterstogglesystemrootfoldertypeidprecreateinfotipxffu xffuxfftmitre attxffxff xffxffdynamicloaderfirstpathvirustotaltoolsmusicmozilladesktopcrypt32hotkeystatic analysislaunchwinstadefense evasionserviceclosenextronempty
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (66 / 430 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL http://208.111.186.0 2026-04-30
URL http://131.107.255.255 2026-04-30
URL http://disallowedcertstl.cab?109efc572ecf8930 2026-04-30
URL http://disallowedcertstl.cab?99930c326937f73d 2026-04-30
URL http://disallowedcertstl.cab?d1e1c6ebe5387129 2026-04-30
URL http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?109efc572ecf8930 2026-04-30
URL http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?99930c326937f73d 2026-04-30
URL http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d1e1c6ebe5387129 2026-04-30
URL http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?4c6bdb4aff4d91ec 2026-04-30
URL http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?fa94d910553274b3 2026-04-30
URL http://download.windowsupdate.com/d/msdownload/update/others/2015/05/17930914_a3b333eff1f0428f5a2c87724c542504821cdbd8.cab 2026-04-30
URL http://edgedl.me.gvt1.com/edgedl/release2/chrome/adp3baxg5gbko4wh53dwmsh4wrwa_130.0.6723.70/-8a69d345-d564-463c-aff1-a69d9e530f96-_130.0.6723.70_all_erulwjh2ommtc3zdhrqxhv2f34.crx3 2026-04-30
URL http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D 2026-04-30
URL http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D 2026-04-30
URL http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D 2026-04-30
URL http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnxLiz3Fu1WB6n1%2FE6xWn1b0jXiQQUdIWAwGbH3zfez70pN6oDHb7tzRcCEAWUdUoRjTpU4O3nzZcW0Ek%3D 2026-04-30
URL http://x1.c.lencr.org/ 2026-04-30
URL http://pinrulesstl.cab?4c6bdb4aff4d91ec 2026-04-30
URL http://pinrulesstl.cab?fa94d910553274b3 2026-04-30
URL http://1.c.9.2.9.7.9.7.f.b.4.5.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa 2026-04-30
URL http://2.0.f.f.ip6.arpa 2026-04-30
URL http://2.b.e.8.6.8.2.3.a.6.c.8.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa 2026-04-30
URL http://5.5.d.0.1.b.9.f.4.4.4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa 2026-04-30
URL http://6.1.a.7.e.d.2.2.5.6.d.a.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa 2026-04-30
URL http://6.4.c.7.8.5.f.5.9.c.8.b.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa 2026-04-30
URL http://6.7.8.a.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa 2026-04-30
URL http://6.d.2.2.9.5.5.7.a.9.8.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa 2026-04-30
URL http://8.c.0.c.a.2.c.7.b.d.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa 2026-04-30
URL http://a.1.0.c.a.8.b.6.d.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa 2026-04-30
URL http://b.b.1.7.d.4.5.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa 2026-04-30
URL http://d.8.b.5.6.9.9.e.6.e.d.9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa 2026-04-30
URL http://f.1.4.e.f.5.d.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa 2026-04-30
URL http://1.0.0.0 2026-04-30
URL http://3.0.0.0 2026-04-30
URL http://nsis.sf.net 2026-04-30
URL http://nsis.sf.net/NSIS_Error 2026-04-30
URL http://nuo-stems.fra1.digitaloceanspaces.com:443 2026-04-30
URL https://nuo-stems.fra1.digitaloceanspaces.com/nuo-stems-3-3.1.0-beta.3-x64.nsis.7z 2026-04-30
URL https://akamaitv.com/ 2026-04-30
URL http://check.dumdum.dev/ 2026-04-30
URL http://ntp.airvantage.net 2026-04-30
URL http://ntp.airvantage.net/ 2026-04-30
URL http://ntp.lingyiitech.com 2026-04-30
URL http://ntp1.moobox.cn 2026-04-30
URL http://ntp3.whitelist.camect.com 2026-04-30
URL http://ntp3.whitelist.camect.com/ 2026-04-30
URL http://tick.katestech.com 2026-04-30
URL http://time.allworx.net 2026-04-30
URL http://time.allworx.net/ 2026-04-30
URL http://time.altisource.com 2026-04-30
URL http://time.citco.com/ 2026-04-30
URL http://time.robosoft.co.in 2026-04-30
URL http://time.servers.securevrs.com 2026-04-30
URL http://time.vitesco.com 2026-04-30
URL http://time1.watchfireignite.com 2026-04-30
URL http://www.elpida.com/en/products/ 2026-04-30
URL https://main.ctecoding.com/ 2026-04-30
URL https://myplanlogin.healthplan.org/ 2026-04-30
URL https://sprs.torontocas.ca/ 2026-04-30
URL https://sso.fst.com/ 2026-04-30
URL https://www.hellolingo.com/glucoseguide 2026-04-30
URL https://www.hexion.com/ 2026-04-30
URL https://www.meritagehomes.com/ 2026-04-30
URL https://www.verabank.com/ 2026-04-30
URL https://www.womeninmanufacturing.org/ 2026-04-30
URL https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md%23atomic-test-6---discover-specific-process---tasklist%0A%20%20%20%20-%20https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf%0A%20%20%20%20-%20https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html%0Aauthor:%20Nasreddine%20Bencherchali%20 2026-04-30
References (3)
↗ https://vtbehaviour.commondatastorage.googleapis.com/7239da2f1e827d89f94256594629dc4d9d8c75edf0ca262de2566b6193a5ff9a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777520784&Signature=b%2BtX1%2Ffyku%2BclKccH3zOoEiQC%2FthJQjeHoIP4LV5sGJ6Zjj5tfJg3wNZYh2HBa4k26uwGj2nMlB0b0GYtweLW25Bc%2B404F%2BL6QapM%2B40QGW%2FB%2Br1PPeLGqibZInE87sOOaJiuEfSRazMcA%2BfHu%2Fb0jM4zPy9zJ0hixPtO1l5waijD8T%2Bb8bK1f%2BcYsBiZGyi%2B3iwCjtYGOqrh2%2FaUTIc2KtQ71wcNTUM ↗ https://vtbehaviour.commondatastorage.googleapis.com/7239da2f1e827d89f94256594629dc4d9d8c75edf0ca262de2566b6193a5ff9a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777520838&Signature=yGBMSw%2BY%2B%2FQx%2B1Bgu6Ak6yeMjBaVPrWKwmi8%2BPSW9Ryb8yjHv%2F3l%2B6dUti2eDEBmA4SPDCXTAb%2B08R2KfsYirOWGVXRTcZtRb8y2pmconV4eHUen6aMCmJSoeDAF1ZUgO%2B2LskdO5QD8uvc8wEKVRInU4idJ0ttgmEDuQkNtIDi%2FDNr6SPFGqUkJVUlxpmKByswFzetMzuNN8Z8PLowoIBCQT13JXQ6wAy%2 ↗ https://vtbehaviour.commondatastorage.googleapis.com/7239da2f1e827d89f94256594629dc4d9d8c75edf0ca262de2566b6193a5ff9a_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777520882&Signature=wY5xl%2BYtBqki9lSTdsyaILrsT5QUwmmDT7LqFVonw6fiE9Ol7%2FbhW7T%2BmgCPPz2BaMiUXzt8uq3lJvsqaQkzLlFzxLgvwFM1pe%2BbKkZYBJsNzqAtZ%2FyI80TNC2%2FgFNmvCnZDjgiRx%2BxoTfnDJMYjzDnWbfywNJxYIgdw9G8GBd4MpxuCPkmADNlvC9snbqbfhs5yYwbydv9xq105M5N0ws8oj%2BUuC4kNSNEE4M8AmEqhGdx