{ "type": "Domain", "indicator": "apache.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/apache.org", "alexa": "http://www.alexa.com/siteinfo/apache.org", "indicator": "apache.org", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain apache.org", "name": "Whitelisted domain" }, { "source": "whitelist", "message": "Whitelisted domain apache.org", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2651290299, "indicator": "apache.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 47, "pulses": [ { "id": "6a0a062736db89f7c827b1d4", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:58.595000", "created": "2026-05-17T18:17:11.966000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 301, "FileHash-SHA1": 313, "FileHash-SHA256": 774, "URL": 667, "IPv4": 241, "domain": 205, "hostname": 612, "email": 5, "IPv6": 2, "CIDR": 1, "CVE": 23, "JA3": 1 }, "indicator_count": 3145, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a06582d0722271a4599d7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:57.618000", "created": "2026-05-17T18:18:00.792000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065b8e1ccb825970a9e5", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:56.390000", "created": "2026-05-17T18:18:03.742000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065be823d8e9966e18ce", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:55.117000", "created": "2026-05-17T18:18:03.751000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065d1177dadd6522914f", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:54.028000", "created": "2026-05-17T18:18:05.783000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065ebc76096529b575c7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:52.618000", "created": "2026-05-17T18:18:06.287000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e30ffa710fafb6d651ca89", "name": "Kelowna detachment - British Columbia by streamminingex", "description": "", "modified": "2026-04-18T05:46:36.582000", "created": "2026-04-18T05:00:42.166000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6570a552ac0b6570454709f7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 15, "URL": 1354, "FileHash-MD5": 1308, "FileHash-SHA1": 1314, "FileHash-SHA256": 4898, "hostname": 1401, "email": 62, "domain": 1239, "CIDR": 8 }, "indicator_count": 11599, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e30ffde212f52470137868", "name": "Kelowna detachment - British Columbia by streamminingex", "description": "", "modified": "2026-04-18T05:46:26.897000", "created": "2026-04-18T05:00:45.780000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6570a552ac0b6570454709f7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 15, "URL": 1358, "FileHash-MD5": 1308, "FileHash-SHA1": 1314, "FileHash-SHA256": 4898, "hostname": 1405, "email": 62, "domain": 1242, "CIDR": 8 }, "indicator_count": 11610, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6995ec2803ec8263d6cb9902", "name": "Potential for Abuse on Trusted Support Sites", "description": "Analysis of AlienVault OTX data shows that support.apple.com\u2014a whitelisted domain\u2014is associated with 69 malicious files, including Sodinokibi and BazarLoader.\nThe Potential for Abuse:\nBecause these domains are trusted by security filters (like Cisco Umbrella), they may be being used to:\nBypass Firewalls: Mask malicious traffic behind a \"safe\" reputation.\nTarget Vulnerable Users: Exploit the trust of people in high-stress situations who are seeking help.\nHide in Subdomains: Use fragmented assets (like rss.support.*) to avoid active monitoring.\nThe Precaution:\nWhitelisted status does not equal absolute safety. Researchers and users should:\nCheck Certificates: Verify the SSL/TLS Certificate is official.\nVerify Redirects: Check for Open Redirect triggers in links.\nNavigate Directly: Type URLs manually when possible.\nConclusion:\nSupport infrastructure is a high-trust environment. This trust may be being used to target users when they are most vulnerable. Caution is required.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-18T16:43:20.757000", "tags": [], "references": [ "", "msudosos note: Caution is required as I have noticed this accross multiple support sites." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 232, "URL": 112, "domain": 178, "CVE": 23, "FileHash-MD5": 62, "FileHash-SHA1": 59, "FileHash-SHA256": 59, "email": 1 }, "indicator_count": 726, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697488f095f69d392afd00fb", "name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes", "description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T08:55:12.845000", "tags": [ "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "href", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "form", "click", "strings", "error", "tools", "look", "verify", "restart", "active related", "url https", "related pulses", "url http", "united", "czechia", "hong kong", "ipv4", "indicators hong", "kong", "south korea", "netherlands", "germany", "ireland", "denmark", "sweden", "active", "government", "finance", "security", "type indicator", "yara detections", "av detections", "ids detections", "alerts", "analysis date", "mcsf", "microsoft", "yara", "insurance", "fidelity investments", "description", "fidelity international", "ms windows", "pe32", "writeconsolew", "read c", "pe32 executable", "t1045", "susp", "write", "win64", "malware", "modified", "ck ids", "t1040", "sniffing", "packing", "t1112", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "win32", "trojan", "april", "sara ligorria", "tramp advert", "black paper", "createdate", "subject laser", "title laser", "format", "types of", "japan", "regsetvalueexa", "regdword", "regbinary", "module download", "tls handshake", "high", "defense evasion", "discovery att", "adversaries", "title", "role", "flag", "name server", "server", "domain address", "markmonitor", "clicktale ltd", "enom", "whoisguard", "medium", "unicode", "rgba", "delete", "crlf line", "next", "dock", "execution", "date", "users", "tls sni", "total", "cnc domain", "search", "oamazon", "cnamazon rsa", "push", "failure yara", "contacted", "hours ago", "created", "cia", "fbi", "telegram", "tulach", "sabey", "state", "gov", "ahmann", "financial fraud", "t-mobile", "walmartmobile", "life insurance", "fidelity life", "guarantee", "team", "role title", "added active", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "kw3recepten", "domainname0", "searchbox0", "kw1brinta", "kw2muesli", "indicator role", "title added", "pulses url", "cve cve20170147", "apple", "apple id" ], "references": [ "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://bhive.nectar.social/rKvoMY", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "Domains Contacted api.nuget.org", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.fidelity.com/ https://www.fidelity.com/", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "https://www.anyxxxtube.net/search-porn/", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "https://bhive.nectar.social/rKvoMY", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "http://appleid.app", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64:Trojan-gen", "display_name": "Win64:Trojan-gen", "target": null }, { "id": "Trojan:MSIL/Ursu.KP", "display_name": "Trojan:MSIL/Ursu.KP", "target": "/malware/Trojan:MSIL/Ursu.KP" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "target": null }, { "id": "Trojan:PDF/Phish.RR!MTB", "display_name": "Trojan:PDF/Phish.RR!MTB", "target": "/malware/Trojan:PDF/Phish.RR!MTB" }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": ": ALF:Trojan:MSIL/Azorult.AC!", "display_name": ": ALF:Trojan:MSIL/Azorult.AC!", "target": null }, { "id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "target": null }, { "id": "Trojan:Win32/Conbea!rfn", "display_name": "Trojan:Win32/Conbea!rfn", "target": "/malware/Trojan:Win32/Conbea!rfn" }, { "id": "Trojan:Win32/Ausiv!rfn", "display_name": "Trojan:Win32/Ausiv!rfn", "target": "/malware/Trojan:Win32/Ausiv!rfn" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "target": null }, { "id": "Trojan:BAT/Musecador", "display_name": "Trojan:BAT/Musecador", "target": "/malware/Trojan:BAT/Musecador" }, { "id": "TrojanDropper:Win32/Qhost", "display_name": "TrojanDropper:Win32/Qhost", "target": "/malware/TrojanDropper:Win32/Qhost" }, { "id": "Trojan:Win32/Miner.KA!MTB", "display_name": "Trojan:Win32/Miner.KA!MTB", "target": "/malware/Trojan:Win32/Miner.KA!MTB" }, { "id": "DNSTrojan", "display_name": "DNSTrojan", "target": null }, { "id": "EternalRocks", "display_name": "EternalRocks", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Finance", "Insurance" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2793, "URL": 6639, "FileHash-SHA256": 2462, "domain": 1070, "FileHash-MD5": 307, "FileHash-SHA1": 186, "SSLCertFingerprint": 1, "email": 1, "CVE": 3 }, "indicator_count": 13462, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e36a79b52e21105f258e6e", "name": "Vasyaperskyi from Russia mrt.exe urls in memory", "description": "VirusTotal Graph (miniuser, 2025)", "modified": "2025-11-05T07:02:18.726000", "created": "2025-10-06T07:06:33.301000", "tags": [ "entity" ], "references": [ "https://www.virustotal.com/graph/embed/g421f9bbfc29448f8acd6e6e0eaa616e332de270d8f5c4b34bcfc69f325a7bbc7?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 86, "FileHash-MD5": 43, "FileHash-SHA1": 43, "FileHash-SHA256": 135, "domain": 6, "hostname": 39 }, "indicator_count": 352, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686df81130f94fff809dd8b7", "name": "T-Mobile Service- 23.185.0.2 - Mirai", "description": "", "modified": "2025-08-08T04:05:03.809000", "created": "2025-07-09T05:03:13.536000", "tags": [ "germany unknown", "passive dns", "invalid url", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "frankfurt", "main", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr11", "validity", "public key", "info", "south korea", "united", "taiwan as3462", "as21928", "china as4134", "as4766 korea", "china as4837", "as9318 sk", "high", "as701 verizon", "malware", "copy", "name jim", "zemlin name", "letterman dr", "address bldg", "d ste", "date", "dnssec", "record value", "emails", "address", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jul", "present showing", "entries related", "domains show", "present jun", "search", "enom", "creation date", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 178, "FileHash-SHA1": 180, "FileHash-SHA256": 2435, "hostname": 644, "domain": 603, "URL": 585, "email": 3 }, "indicator_count": 4628, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "296 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68396d9ae8b96e90ff1848d5", "name": "AcK-U // unenriched - 05.30.25", "description": "Just a quick check", "modified": "2025-07-23T20:11:01.749000", "created": "2025-05-30T08:34:34.215000", "tags": [ "amazon02", "cloudflarenet", "amazonaes", "fastly", "github", "google", "facebook", "namecheapnet", "service", "cdck", "level3", "cloud", "com laude", "ltd dba", "namecheap inc", "gandi sas", "gmbh", "cloudflare", "namecheap", "registrarsafe", "ascio", "tucows", "spaceship", "please", "javascript", "iocs", "threat", "malware unread", "collection", "crowdsourced", "acku new", "share", "updated", "first ioc", "seen", "premium", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/iocs", "https://www.virustotal.com/graph/embed/g36d8fc13d786418ab1d0a75cc331f0eb5bca28d4a4fe4666a84f23e25fb6600b?theme=dark", "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/summary", "https://report.netcraft.com/submission/iduhE4oNTsMOSAeOeBjzZdIfCLtefF3P - 07.23.25 - see notes on references*" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 91, "domain": 204, "hostname": 192, "URL": 731, "FileHash-SHA256": 27, "email": 1 }, "indicator_count": 1246, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6853692cc1a1795b9f321422", "name": "Custom Power Wheelchairs | Misc Attack includes Emotet", "description": "", "modified": "2025-07-19T01:04:02.740000", "created": "2025-06-19T01:34:36.575000", "tags": [ "no expiration", "filehashsha256", "expiration", "url https", "filehashmd5", "filehashsha1", "domain", "hostname", "ipv4", "iocs", "url http", "create new", "pulse use", "pdf report", "pcap", "stix", "drop", "review iocs", "pulse show", "enter source", "url or", "search", "type indicator", "role title", "related pulses", "showing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 3, "FileHash-MD5": 351, "FileHash-SHA1": 328, "FileHash-SHA256": 396, "URL": 176, "domain": 94, "hostname": 75, "email": 2, "SSLCertFingerprint": 1 }, "indicator_count": 1426, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "316 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c6bb5aa601e91b1314ff44", "name": "SCANID: S-KhOoOrXsco8: Thor Lite Linux 64 - Sample Lab Device 2 - incomplete (not enriched)", "description": "Thor Lite Linux 64 - Sample Lab Device 2 - incomplete\nhttps://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d\nSCANID: S-KhOoOrXsco8", "modified": "2025-04-22T06:02:28.535000", "created": "2025-03-04T08:35:38.390000", "tags": [ "misc", "filename ioc", "scanid", "sigtype1", "reasonscount", "sg2backup drive", "thu feb", "log entry", "exists1", "matched1", "warp", "trash", "rooter", "service", "puppet", "apache", "ruby", "execution", "android", "glasses", "agent", "hermes", "atlas", "score", "open", "orion", "entity", "download", "enterprise", "nexus", "beyond", "patch", "rest", "bsod", "bind", "june", "upgrade", "project", "surtr", "path", "mandrake", "accept", "openssl", "null", "responder", "shell", "servu", "cargo", "bypass", "green", "python", "iframe", "webex", "blink", "code", "netty", "fall", "grab", "metasploit", "webdav", "postscript", "middle", "assistant", "energy", "august", "diego", "february", "hold", "write", "extras", "fusion", "trace", "click", "rust", "anna", "virustotal", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "probe", "win32", "snoopy", "vuln", "april", "format", "flash", "domino", "calendar", "cryptocat", "orca", "hello", "stream", "confi", "sharepoint", "launcher", "hypervisor", "malicious", "lame", "attack", "prior", "simple", "hpack", "homepage", "easy", "live", "cookie", "explorer", "config", "rush", "spark", "chat", "media", "webview", "trigger", "northstar", "monitoring", "false", "impact", "dino", "example", "splash", "macos", "notifier", "error", "spring", "this", "neutrino", "tools", "template", "crow", "magento", "zimbra", "drop", "stack", "linear", "blocker", "deleter", "main", "face", "arch", "hosts", "bifrost", "recursive", "cobaltstrike", "luckycat", "brain", "apt", "php", "rat", "hacktool", "worm", "meterpreter", "obfuscated", "evasive", "exaramel", "anti-vm" ], "references": [ "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [ "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14071, "FileHash-MD5": 979, "FileHash-SHA1": 2568, "FileHash-SHA256": 636, "URL": 43905, "domain": 2031, "email": 31, "hostname": 3621 }, "indicator_count": 67842, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "404 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6665c84b687c5e16b95e8f8e", "name": "94.152.152.223 v65023.niebieski.net Cyber_Folks S.A. (vgt.pl)", "description": "SHA1 32223ade25c4a1d39cb8ac13042e8e6dfe3ca78f , SHA1 \n 99987c1ee1ddb7fd113abd65c836fbb71c3da4da\n Role: UPX , Ransomware , Trojan , Mirai , Buschido Mirai antywirusowe\nWin.Trojan.VBGeneric-6735875-0 , Robak:Win32/Mofksys.RND!MTB", "modified": "2024-12-31T01:53:43.222000", "created": "2024-06-09T15:20:43.178000", "tags": [ "expiration", "no expiration", "url http", "url https", "hostname", "domain", "ipv4", "filehashsha256", "fh no", "filehashmd5", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "pl o", "unizeto", "sa ou", "urzd", "certum cn" ], "references": [ "https://viz.greynoise.io/analysis/f3d70a4f-14b1-4d26-8617-98d591", "https://viz.greynoise.io/analysis/a40cf3ce-d048-47c1-94b7-730b71", "https://viz.greynoise.io/analysis/4627bc3a-0238-4f2f-ad5c-c50527" ], "public": 1, "adversary": "TrojanDownloader:Win32/Nemucod", "targeted_countries": [ "Poland", "United States of America", "Germany", "Netherlands" ], "malware_families": [ { "id": "Serwer A Przed\u0142u\u017cenie sesji #{text} Wojcieszyce PL", "display_name": "Serwer A Przed\u0142u\u017cenie sesji #{text} Wojcieszyce PL", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1027.004", "name": "Compile After Delivery", "display_name": "T1027.004 - Compile After Delivery" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1553.006", "name": "Code Signing Policy Modification", "display_name": "T1553.006 - Code Signing Policy Modification" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.001", "name": "Invalid Code Signature", "display_name": "T1036.001 - Invalid Code Signature" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3205, "FileHash-SHA1": 2671, "FileHash-SHA256": 11469, "SSLCertFingerprint": 6, "URL": 5435, "domain": 1356, "email": 55, "hostname": 2205, "CVE": 13, "YARA": 4, "CIDR": 1, "IPv4": 25, "FileHash-IMPHASH": 1, "BitcoinAddress": 2, "IPv6": 13 }, "indicator_count": 26461, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "516 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669ac41b3186b8cc8c40e9e3", "name": "Powershell", "description": "Matches rule PowerShell Module File Created By Non-PowerShell Process by Nasreddine Bencherchali\nDetects creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc. by a non-PowerShell process\n\nFilescan.io\nWindowsPowerShell.zip\napplication/zip\nMD5:\n07d37fc575e373f878ae3c7cca2bfc25\nSHA1:\na2fc89aba12f8739184d44d0fffbe6323d9654eb\nSHA256:\ne75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832\nSHA512:\n36dc7349d052cd474818a6ae3149eda469d829cf2e4d9a0e55252468cdf9e9704d5293b8b4f73b4a25b07f8c8dd8eeab2ed18bbb1ff7d76958b51eb555562339\n\nTriage:\nhttps://tria.ge/240719-taxv5aydlj\nhttps://tria.ge/240719-tfpfyasdqh\nhttps://tria.ge/240719-tj9laasfke\nhttps://tria.ge/240719-tnb6kssgmc\nhttps://tria.ge/240719-trwpdsshqh\nhttps://tria.ge/240719-tv84wstbkg\nhttps://tria.ge/240719-t1hh5atcpd\nhttps://tria.ge/240719-t7wpbszgkl\n\nMalcore: https://app.malcore.io/share/652553f6aec33d70a1dbbd25/669993193506cdb760b3f36a\n\nKaspersky: E75FF18EE5C7226E225AA9959DF439F1488DF8CD3D43F5471361ED0426700832", "modified": "2024-09-01T17:02:12.379000", "created": "2024-07-19T19:52:59.626000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/summary", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/iocs", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/graph", "https://www.virustotal.com/graph/embed/g4d28c765e54941129dbbf8d4a8dc25bb3b5452f14e0a4886a0af0c2991188611?theme=dark", "https://www.virustotal.com/gui/file/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832/relations", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578339&Signature=fTYUE3KoGSnr2%2BSrv9dZpgk3uXJc2rf%2BQeCyhAVDWiuiHGaYqhFHfgzQD2KheomXUSHne5MCvS9XH1LGW7Xhrg7CIG0gEe5cVjxrkmumne%2B%2Fd%2FBQagomnCKzfbwdExaO45sfA9rz4eQtyfLzFifYoRXDRtJK7P%2BNmISkv0Qz9FGIgXrrPDvmwJevgry%2FaMfiTEa2%2BxSDdWf9e6kdZW5YBVuxEdpGowcPsPEkpbdiSG12pG", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578437&Signature=HM1ThjLEyrQmeLst3eY3osRWxC6ETs2RVbR4uKhN5emP%2Fe3Jbf6OsLPvmoAyaPTh%2B9RLyjIrqyR3f4rwg%2B4kkyiEZCyCkGKSRvQK4zC8eMuq80kOGYcvFLPwtvcH20xe7%2FPhGk2au3z4GfauzR1s8meGtQYRDlmXZARLTB2G0tno%2FJOq8rNm7NLHvVH1MpMBoQ47RRIwE0ecUUSYXmQGMAOQVAgmigrpydiFzFYN2wYJDkmfVTmEc9kylTmQ", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583501&Signature=igubOWmez%2BKPjBiU2Af7vHhJ5SwgwsKaafuyzobymmqUDs%2F8vkuh1A%2BbsMADWo0B%2FBEZht3BD%2B1%2FvItWrcfBgja57sMCBln9vBXfK7nCclcy9%2BeujGu7wlQLlhyfAeGNd8suRdK8x4WrJJ5bdqfAh7Ns0mOjPliF9uu3UJ9I7qH6N5IAd%2Bkb8h7Xce%2F%2BavnF8jLmHHwwCP5ILzgNRc94rmrWFp5eXzxQ3aHd9btY2D", "https://vtbehaviour.commondatastorage.googleapis.com/e6f203e988e7aa801739359c6222dcb181d290fc10de5f61d354d43f8557daa0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583905&Signature=QPgFBr8MN1iCe8SwxWZ4BgTfkaViEC4PHLzUrGQ3Jdndo8Z44osVc0CIRcnkJJtNDFU03AM82A8wJ2jMjaFYoEbthsaxPWWufSulM8nS%2BU8RoCr04jUq5GnAWPVNjxukSTbgD0F7pUSf0pVaFwwvpSWCQ6hedQEwF52DQyViV8u9UDOeLii4rkmRlMfMlGIsxIP4CEwy0Gy8Q7Lw6FX8cxG%2FehoJatyiwaFdwwbbLbnu2lQHDaZuwZ38Oy", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583790&Signature=K2lWpuyPxZ8FgvBVeyB6hsfMbuIBkRXd522JtGonUcHxxtwoomV2fuuFbXC5edVAoGPuZJ24D%2Fv7rEHOHYCS2347F4Mq0VQr0PQt68rfbA8DBHTGs1XBS3QFLveflOjIkNzmhJWg23fuvM%2F1Ci0jSxKnR5XeURTArrkbf5eYA72p4QUFMKDgYO6kRpNXHLuDocJdXWjM7AiQ7ZBQdx%2F%2FeNZgb7k7s%2FPTzGuZ%2FTgEvxiGAiaV6PghFIIPSj", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583388&Signature=L5dgUL09kvWOiINZMa%2FvgcDAW5AFV%2Fqie184iaXQKGccuTzwDYsyx0%2BhI%2FxOXIkON%2Bw0RoRuoasFag44WeapuTjlnv8di%2FZ8iWJdeRGqWOdJ8P4EAPZIICsU%2BxjXP%2BzOSNTz5tcekdSceS%2BkTyDYMO%2F9QxZVwsIV1WnvZaGiR%2BOKIfs4YFXgeGWc23ktkKxbRfeKQY1kFyHTh8Re3lBLC%2Fkq%2FExvl7kqxKIebqquWmo%", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583872&Signature=cfVN9vaAZ5UXUaFiEoATwrbKG2RNxzOu3wiH5KMlXdPxTgtpQ920ONEqOhhUb8MNxJwW3AVsCAahYTLdN3FigRPmjIClNTYz%2BoS%2BDl354Z4ZxefdKjl0HJ4%2FmGuzVTBNtc6pftGk4VMAvjgoerYhBf6Olu3ajrMT3h89lKsdBSGc6ra20Btzd%2BzY3Uh1J2gPZ%2BzZPHkTbR0OUTh3oorvIq9Fue8rDbL6PzZLxfPFEZ%2FFCRUnFo", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583838&Signature=dw6B7oYQHQ1CxhfF67YE3TZfvqWvO%2FgErgu9Ms4R462ssOAuET7%2F9guBVvhETqvO7ClziwNXLV%2F31SM7aYXjXEUOmfJtHqf5vpFUCub63bX6a1GILj%2BtbX8EmURT4JftAGT%2BwDdgQnHX3y5MvnWd9NpYE8TTYStcf%2BQOWZLWiMNe%2BSxjpsMyOG2ryZdsm7iCyH%2BWdXrvG%2Bh9ccwxPOnUOwoOxUV3hp1ifVzCkbUtYySGTom29VJ8", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583383&Signature=N7snLsiqkPikwYU0zKl8QxasbcLXiGFXIFaIVT%2FEvzaLWUbnPEkuvuuOAxz9la0bmVndAimDsaexUgrGErDmDbBZ46apRuUnYH3GwBNvZ3YaBIVII4IfP8kDN%2Bi2b3meTPaoyhnWR4UIuYord2Ejg5nAYQ3FJxv4KKyrm8NTlU1cEHTpiBToFL3AVBUOHvCUQ4T1wRMpgO6%2FmyokYYZl8GZa4tjpI%2BncAIOTAfOZePVQ7sAnKHmckU", "https://viz.greynoise.io/analysis/b5c2d562-eee0-46cb-8696-0585e3ce27b8" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4402, "URL": 1463, "domain": 621, "hostname": 1159, "FileHash-MD5": 423, "FileHash-SHA1": 423 }, "indicator_count": 8491, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "636 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a552ac0b6570454709f7", "name": "Kelowna detachment - British Columbia (Pulse created by ellenmmm)", "description": "", "modified": "2023-12-06T16:46:09.708000", "created": "2023-12-06T16:46:09.708000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 15, "URL": 1349, "FileHash-MD5": 1308, "FileHash-SHA1": 1314, "FileHash-SHA256": 4898, "hostname": 1401, "email": 62, "domain": 1237, "CIDR": 8 }, "indicator_count": 11592, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a127b18f314c64abf0ca", "name": "MITRE ATT&C - T1140 - Deobfuscate/Decode Files or Information", "description": "", "modified": "2023-12-06T16:28:23.639000", "created": "2023-12-06T16:28:23.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a11eb966ec5b823d2ae8", "name": "Drive By Malware", "description": "", "modified": "2023-12-06T16:28:14.217000", "created": "2023-12-06T16:28:14.217000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a11966ff39f73aed8c7d", "name": "Fileless Malware", "description": "", "modified": "2023-12-06T16:28:09.128000", "created": "2023-12-06T16:28:09.128000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1651, "FileHash-MD5": 32, "FileHash-SHA1": 25, "hostname": 939, "domain": 339, "URL": 2307, "email": 2 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709fb3b919327802eaa6c5", "name": "Kelowna detachment - British Columbia", "description": "", "modified": "2023-12-06T16:22:11.032000", "created": "2023-12-06T16:22:11.032000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 15, "URL": 1349, "FileHash-MD5": 1308, "FileHash-SHA1": 1314, "FileHash-SHA256": 4898, "hostname": 1401, "email": 62, "domain": 1237, "CIDR": 8 }, "indicator_count": 11592, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657083fdc68c74974fe8a9fb", "name": "cass.ballottrax.net:voter:%22", "description": "", "modified": "2023-12-06T14:23:56.285000", "created": "2023-12-06T14:23:56.285000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 640, "hostname": 145, "domain": 121, "URL": 510, "CIDR": 5, "FileHash-MD5": 10 }, "indicator_count": 1431, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657083f0caaf3104532d619b", "name": "apps.crowdtangle.com:chrome-extension%22", "description": "", "modified": "2023-12-06T14:23:44.276000", "created": "2023-12-06T14:23:44.276000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 796, "hostname": 313, "domain": 123, "URL": 880, "CIDR": 9, "FileHash-MD5": 50, "FileHash-SHA1": 2 }, "indicator_count": 2173, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657083ed4fcdc6eded29d59b", "name": "crowdtangle.com 03.29.2017", "description": "", "modified": "2023-12-06T14:23:41.446000", "created": "2023-12-06T14:23:41.446000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 989, "domain": 121, "hostname": 196, "URL": 612, "CIDR": 6, "FileHash-MD5": 4 }, "indicator_count": 1928, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657081e1d76cdb2f325ea5f3", "name": "apps.crowdtangle.com:public-hub:covid19:us%22", "description": "", "modified": "2023-12-06T14:14:57.245000", "created": "2023-12-06T14:14:57.245000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 808, "hostname": 367, "domain": 149, "URL": 1095, "CIDR": 9, "FileHash-MD5": 50, "FileHash-SHA1": 2 }, "indicator_count": 2480, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708017933fec4e15c7989d", "name": "ripe.net", "description": "", "modified": "2023-12-06T14:07:19.213000", "created": "2023-12-06T14:07:19.213000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 454, "FileHash-SHA256": 293, "hostname": 119, "domain": 43, "email": 2, "FileHash-MD5": 5, "FileHash-SHA1": 1, "CIDR": 2 }, "indicator_count": 919, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707f8475d8a8785dfc5a2f", "name": "Zetalytics API", "description": "", "modified": "2023-12-06T14:04:52.250000", "created": "2023-12-06T14:04:52.250000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 754, "hostname": 833, "domain": 441, "URL": 2375, "CIDR": 5, "FileHash-MD5": 2, "email": 1 }, "indicator_count": 4411, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653d7d56a781ee979d979119", "name": "Best crypto exchange to buy cryptocurrency in Singapore | Coinhako", "description": "", "modified": "2023-11-27T21:01:16.697000", "created": "2023-10-28T21:29:58.671000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 384, "domain": 167, "hostname": 237, "FileHash-SHA256": 4091, "FileHash-MD5": 802, "FileHash-SHA1": 802 }, "indicator_count": 6483, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ee7075f37dad88d73c3830", "name": "Fileless Malware", "description": "An example of 1 dangerous exploit. \nThis happened on Brand New fully updated locked down Apple iPhone, Samsung. If you happen to be looking at your phone, you may witness the following: Google logo on appengine.goohke .com Drive By will have a disclaimer that it is NOT affiliate.\nYou will see:\nhttps://accounts.google.com/AccountChooser?continue\nAll of your Gmail accounts will be displayed your primary account will be checked. The drive by happens at tspeed of 2 -3 seconds. Without clicking, your entire phone is compromised. Every account, locations, maps, YouTube, voice, camera, , keyloggers installed. This is not your fault. You are a target. There are empty hashes. It's fileless malware which does not write to storage. \nPhishing, malware hosting, other IoC s.\nExtremely hazardous, renders phone a zombie. New network and data plan all without your explicit consent.\nWelcome to the BotNetwork.\nhttp://appengine.google.com/\naccounts.google.com\nconsent.google.com/m?---- (Forced Consent on iOS device)", "modified": "2023-09-28T21:05:16.310000", "created": "2023-08-29T22:25:53.474000", "tags": [ "as15169 google", "united", "aaaa", "domain", "search", "cname", "passive dns", "urls", "entries", "dashboard", "date", "sha1", "ssdeep", "tnull file", "magic", "file size", "software", "ioctype", "iocvalue", "refunds", "show less", "line", "value", "august", "variables", "recordimlel", "fcssrowkey", "ijvalues", "wjdd object", "berr", "mxndff boolean", "url age" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 339, "email": 2, "FileHash-MD5": 32, "FileHash-SHA1": 25, "FileHash-SHA256": 1651, "hostname": 939, "URL": 2307 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "975 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64eed9e039cd84d4b7b9aa54", "name": "MITRE ATT&C - T1140 - Deobfuscate/Decode Files or Information ", "description": "", "modified": "2023-09-28T21:05:16.310000", "created": "2023-08-30T05:55:44.012000", "tags": [ "as15169 google", "united", "aaaa", "domain", "search", "cname", "passive dns", "urls", "entries", "dashboard", "date", "sha1", "ssdeep", "tnull file", "magic", "file size", "software", "ioctype", "iocvalue", "refunds", "show less", "line", "value", "august", "variables", "recordimlel", "fcssrowkey", "ijvalues", "wjdd object", "berr", "mxndff boolean", "url age" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ee70f9eaecf035471ff80c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 339, "email": 2, "FileHash-MD5": 32, "FileHash-SHA1": 25, "FileHash-SHA256": 1651, "hostname": 939, "URL": 2307 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "975 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ee70f9eaecf035471ff80c", "name": "Drive By Malware ", "description": "", "modified": "2023-09-28T21:05:16.310000", "created": "2023-08-29T22:28:09.867000", "tags": [ "as15169 google", "united", "aaaa", "domain", "search", "cname", "passive dns", "urls", "entries", "dashboard", "date", "sha1", "ssdeep", "tnull file", "magic", "file size", "software", "ioctype", "iocvalue", "refunds", "show less", "line", "value", "august", "variables", "recordimlel", "fcssrowkey", "ijvalues", "wjdd object", "berr", "mxndff boolean", "url age" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "64ee7075f37dad88d73c3830", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 339, "email": 2, "FileHash-MD5": 32, "FileHash-SHA1": 25, "FileHash-SHA256": 1651, "hostname": 939, "URL": 2307 }, "indicator_count": 5295, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "975 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64d95fd67f4ea1e4a8cb8d38", "name": "Kelowna detachment - British Columbia", "description": "https://www.rcmp-grc.gc.ca/detach/en/d/201", "modified": "2023-09-21T05:02:23.556000", "created": "2023-08-13T22:57:26.810000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1488, "domain": 1323, "email": 70, "URL": 1453, "FileHash-SHA1": 2122, "FileHash-SHA256": 9810, "FileHash-MD5": 2117, "CVE": 15, "CIDR": 8 }, "indicator_count": 18406, "is_author": false, "is_subscribing": null, "subscriber_count": 87, "modified_text": "983 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6507da1c48c6e5e5dd1ce72f", "name": "Kelowna detachment - British Columbia (Pulse created by ellenmmm)", "description": "", "modified": "2023-09-21T05:02:23.556000", "created": "2023-09-18T05:03:24.704000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d95fd67f4ea1e4a8cb8d38", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1488, "domain": 1323, "email": 70, "URL": 1453, "FileHash-SHA1": 2122, "FileHash-SHA256": 9810, "FileHash-MD5": 2117, "CVE": 15, "CIDR": 8 }, "indicator_count": 18406, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "983 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "636514318fd74440ced37e81", "name": "Fuck love", "description": "", "modified": "2022-12-04T13:02:11.982000", "created": "2022-11-04T13:31:29.040000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1136.001", "name": "Local Account", "display_name": "T1136.001 - Local Account" }, { "id": "T1595.001", "name": "Scanning IP Blocks", "display_name": "T1595.001 - Scanning IP Blocks" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1455", "name": "Exploit Baseband Vulnerability", "display_name": "T1455 - Exploit Baseband Vulnerability" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Masterdaddy35", "id": "214420", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "1273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63650d349700681fba51656c", "name": "Fuck love", "description": "", "modified": "2022-12-04T13:02:11.982000", "created": "2022-11-04T13:01:40.330000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Masterdaddy35", "id": "214420", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "1273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6267e4381a37f5d6c26ec679", "name": "its all here", "description": "", "modified": "2022-05-26T00:02:33.465000", "created": "2022-04-26T12:23:20.647000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 282, "domain": 155, "FileHash-SHA256": 461, "URL": 501, "FileHash-MD5": 1 }, "indicator_count": 1400, "is_author": false, "is_subscribing": null, "subscriber_count": 397, "modified_text": "1466 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6231eff11998f0376e1e3edf", "name": "cass.ballottrax.net:voter:%22", "description": "", "modified": "2022-04-15T00:03:47.669000", "created": "2022-03-16T14:10:57.861000", "tags": [], "references": [ "cass.ballottrax.net:voter:%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 511, "hostname": 145, "domain": 121, "FileHash-SHA256": 640, "CIDR": 5, "FileHash-MD5": 10 }, "indicator_count": 1432, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1507 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6231e48eb1fb59ef10548bc6", "name": "apps.crowdtangle.com:chrome-extension%22", "description": "", "modified": "2022-04-15T00:03:47.669000", "created": "2022-03-16T13:22:22.953000", "tags": [ "WannaCry" ], "references": [ "apps.crowdtangle.com:chrome-extension%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Ransomware.WannaCry-9856297-0", "display_name": "Win.Ransomware.WannaCry-9856297-0", "target": null } ], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 313, "URL": 881, "domain": 123, "FileHash-SHA256": 796, "CIDR": 9, "FileHash-MD5": 50, "FileHash-SHA1": 2 }, "indicator_count": 2174, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1507 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6231e27f73bce35cac1ac401", "name": "crowdtangle.com 03.29.2017", "description": "", "modified": "2022-04-15T00:03:47.669000", "created": "2022-03-16T13:13:35.659000", "tags": [ "WannaCry" ], "references": [ "crowdtangle.com 03.29.2017.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Ransomware.WannaCry-9856297-0", "display_name": "Win.Ransomware.WannaCry-9856297-0", "target": null } ], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 196, "URL": 613, "FileHash-SHA256": 989, "domain": 121, "CIDR": 6, "FileHash-MD5": 4 }, "indicator_count": 1929, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1507 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6230eadfb843c17a2e3d4de9", "name": "apps.crowdtangle.com:public-hub:covid19:us%22", "description": "", "modified": "2022-04-14T00:01:40.805000", "created": "2022-03-15T19:37:03.767000", "tags": [ "WannaCry" ], "references": [ "apps.crowdtangle.com:public-hub:covid19:us%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Ransomware.WannaCry-9856297-0", "display_name": "Win.Ransomware.WannaCry-9856297-0", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 367, "URL": 1096, "domain": 149, "FileHash-SHA256": 808, "CIDR": 9, "FileHash-MD5": 50, "FileHash-SHA1": 2 }, "indicator_count": 2481, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1508 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622f4cef2e2c24465b469fdb", "name": "hartintercivic.com:voting-solutions:verityoverview:%22", "description": "23 Jan 2021", "modified": "2022-04-13T00:01:48.292000", "created": "2022-03-14T14:10:55.404000", "tags": [], "references": [ "hartintercivic.com:voting-solutions:verityoverview:%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "hostname": 16, "URL": 42, "FileHash-SHA256": 23, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1509 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622f48cc0bd48e976e5bb3d8", "name": "hartintercivic.com/voting-solutions/verityoverview/\", ~ 12.16.2020", "description": "", "modified": "2022-04-13T00:01:48.292000", "created": "2022-03-14T13:53:16.010000", "tags": [], "references": [ "www.hartintercivic.com:voting-solutions:verityoverview:%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 211, "URL": 475, "domain": 51, "FileHash-SHA256": 666, "CIDR": 5, "FileHash-MD5": 33 }, "indicator_count": 1441, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1509 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622103f1f3636f5441c89605", "name": "ripe.net", "description": "", "modified": "2022-04-02T00:04:50.405000", "created": "2022-03-03T18:07:45.817000", "tags": [ "a domains", "ripe network", "script urls", "united", "ripe ncc", "date", "meta", "link", "search", "name servers", "accept" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 119, "URL": 454, "domain": 43, "FileHash-SHA256": 293, "email": 2, "FileHash-MD5": 5, "FileHash-SHA1": 1, "CIDR": 2 }, "indicator_count": 919, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1520 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "621bc27f48110d4017031e71", "name": "Centergate.com API 5.20.20", "description": "", "modified": "2022-03-29T00:03:34.773000", "created": "2022-02-27T18:27:11.667000", "tags": [ "ubuntu", "request", "macintosh", "intel mac", "os x", "khtml", "gecko", "general check", "show", "download go", "behaviour", "pragma", "search url", "search domain", "scan url", "rescan add", "verdict report", "in summary", "http", "redirects links", "similar dom", "lookup go", "content api", "domains" ], "references": [ "centergate 1.pdf", "centergate api.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 58, "URL": 97, "hostname": 24, "domain": 6, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 188, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1524 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "621bc3aa050a6c5693595f25", "name": "Zetalytics API", "description": "", "modified": "2022-03-29T00:03:34.773000", "created": "2022-02-27T18:32:10.542000", "tags": [ "google", "google llc", "detected", "expand overall", "http", "amazonaes", "openssl", "lookup go", "rescan add", "verdict report", "behaviour", "june", "apache", "search url", "search domain", "scan url", "url search", "domain scan", "url url", "us summary", "line", "google maps", "api warning", "redirects links", "similar dom", "content api", "domains", "Ransomware" ], "references": [ "zetalytics .pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "Win32:Cryptor", "display_name": "Win32:Cryptor", "target": null }, { "id": "TELPER:CERT:SoftwareBundler:Win32/Bunpredelt", "display_name": "TELPER:CERT:SoftwareBundler:Win32/Bunpredelt", "target": null }, { "id": "Trojan:Win32/Danabot.G", "display_name": "Trojan:Win32/Danabot.G", "target": "/malware/Trojan:Win32/Danabot.G" }, { "id": "Backdoor:Win32/Poison.E", "display_name": "Backdoor:Win32/Poison.E", "target": "/malware/Backdoor:Win32/Poison.E" }, { "id": "ALF:PUA:Block:IObit.R!MTB", "display_name": "ALF:PUA:Block:IObit.R!MTB", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 754, "URL": 2375, "domain": 441, "hostname": 833, "CIDR": 5, "FileHash-MD5": 2, "email": 1 }, "indicator_count": 4411, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1524 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578339&Signature=fTYUE3KoGSnr2%2BSrv9dZpgk3uXJc2rf%2BQeCyhAVDWiuiHGaYqhFHfgzQD2KheomXUSHne5MCvS9XH1LGW7Xhrg7CIG0gEe5cVjxrkmumne%2B%2Fd%2FBQagomnCKzfbwdExaO45sfA9rz4eQtyfLzFifYoRXDRtJK7P%2BNmISkv0Qz9FGIgXrrPDvmwJevgry%2FaMfiTEa2%2BxSDdWf9e6kdZW5YBVuxEdpGowcPsPEkpbdiSG12pG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "msudosos note: Caution is required as I have noticed this accross multiple support sites.", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583790&Signature=K2lWpuyPxZ8FgvBVeyB6hsfMbuIBkRXd522JtGonUcHxxtwoomV2fuuFbXC5edVAoGPuZJ24D%2Fv7rEHOHYCS2347F4Mq0VQr0PQt68rfbA8DBHTGs1XBS3QFLveflOjIkNzmhJWg23fuvM%2F1Ci0jSxKnR5XeURTArrkbf5eYA72p4QUFMKDgYO6kRpNXHLuDocJdXWjM7AiQ7ZBQdx%2F%2FeNZgb7k7s%2FPTzGuZ%2FTgEvxiGAiaV6PghFIIPSj", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://bhive.nectar.social/rKvoMY", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578437&Signature=HM1ThjLEyrQmeLst3eY3osRWxC6ETs2RVbR4uKhN5emP%2Fe3Jbf6OsLPvmoAyaPTh%2B9RLyjIrqyR3f4rwg%2B4kkyiEZCyCkGKSRvQK4zC8eMuq80kOGYcvFLPwtvcH20xe7%2FPhGk2au3z4GfauzR1s8meGtQYRDlmXZARLTB2G0tno%2FJOq8rNm7NLHvVH1MpMBoQ47RRIwE0ecUUSYXmQGMAOQVAgmigrpydiFzFYN2wYJDkmfVTmEc9kylTmQ", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/iocs", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/summary", "zetalytics .pdf", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "https://www.virustotal.com/gui/file/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832/relations", "www.hartintercivic.com:voting-solutions:verityoverview:%22,.pdf", "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583388&Signature=L5dgUL09kvWOiINZMa%2FvgcDAW5AFV%2Fqie184iaXQKGccuTzwDYsyx0%2BhI%2FxOXIkON%2Bw0RoRuoasFag44WeapuTjlnv8di%2FZ8iWJdeRGqWOdJ8P4EAPZIICsU%2BxjXP%2BzOSNTz5tcekdSceS%2BkTyDYMO%2F9QxZVwsIV1WnvZaGiR%2BOKIfs4YFXgeGWc23ktkKxbRfeKQY1kFyHTh8Re3lBLC%2Fkq%2FExvl7kqxKIebqquWmo%", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/graph", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://www.virustotal.com/graph/embed/g421f9bbfc29448f8acd6e6e0eaa616e332de270d8f5c4b34bcfc69f325a7bbc7?theme=dark", "cass.ballottrax.net:voter:%22,.pdf", "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/summary", "https://www.anyxxxtube.net/search-porn/", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "https://viz.greynoise.io/analysis/4627bc3a-0238-4f2f-ad5c-c50527", "https://viz.greynoise.io/analysis/a40cf3ce-d048-47c1-94b7-730b71", "http://appleid.app", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583872&Signature=cfVN9vaAZ5UXUaFiEoATwrbKG2RNxzOu3wiH5KMlXdPxTgtpQ920ONEqOhhUb8MNxJwW3AVsCAahYTLdN3FigRPmjIClNTYz%2BoS%2BDl354Z4ZxefdKjl0HJ4%2FmGuzVTBNtc6pftGk4VMAvjgoerYhBf6Olu3ajrMT3h89lKsdBSGc6ra20Btzd%2BzY3Uh1J2gPZ%2BzZPHkTbR0OUTh3oorvIq9Fue8rDbL6PzZLxfPFEZ%2FFCRUnFo", "Domains Contacted api.nuget.org", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc", "https://viz.greynoise.io/analysis/f3d70a4f-14b1-4d26-8617-98d591", "apps.crowdtangle.com:chrome-extension%22,.pdf", "https://www.virustotal.com/graph/embed/g36d8fc13d786418ab1d0a75cc331f0eb5bca28d4a4fe4666a84f23e25fb6600b?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://viz.greynoise.io/analysis/b5c2d562-eee0-46cb-8696-0585e3ce27b8", "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/iocs", "https://report.netcraft.com/submission/iduhE4oNTsMOSAeOeBjzZdIfCLtefF3P - 07.23.25 - see notes on references*", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://www.fidelity.com/ https://www.fidelity.com/", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583383&Signature=N7snLsiqkPikwYU0zKl8QxasbcLXiGFXIFaIVT%2FEvzaLWUbnPEkuvuuOAxz9la0bmVndAimDsaexUgrGErDmDbBZ46apRuUnYH3GwBNvZ3YaBIVII4IfP8kDN%2Bi2b3meTPaoyhnWR4UIuYord2Ejg5nAYQ3FJxv4KKyrm8NTlU1cEHTpiBToFL3AVBUOHvCUQ4T1wRMpgO6%2FmyokYYZl8GZa4tjpI%2BncAIOTAfOZePVQ7sAnKHmckU", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "https://n0paste.eu/UH6n5pD/", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "apps.crowdtangle.com:public-hub:covid19:us%22,.pdf", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583501&Signature=igubOWmez%2BKPjBiU2Af7vHhJ5SwgwsKaafuyzobymmqUDs%2F8vkuh1A%2BbsMADWo0B%2FBEZht3BD%2B1%2FvItWrcfBgja57sMCBln9vBXfK7nCclcy9%2BeujGu7wlQLlhyfAeGNd8suRdK8x4WrJJ5bdqfAh7Ns0mOjPliF9uu3UJ9I7qH6N5IAd%2Bkb8h7Xce%2F%2BavnF8jLmHHwwCP5ILzgNRc94rmrWFp5eXzxQ3aHd9btY2D", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583838&Signature=dw6B7oYQHQ1CxhfF67YE3TZfvqWvO%2FgErgu9Ms4R462ssOAuET7%2F9guBVvhETqvO7ClziwNXLV%2F31SM7aYXjXEUOmfJtHqf5vpFUCub63bX6a1GILj%2BtbX8EmURT4JftAGT%2BwDdgQnHX3y5MvnWd9NpYE8TTYStcf%2BQOWZLWiMNe%2BSxjpsMyOG2ryZdsm7iCyH%2BWdXrvG%2Bh9ccwxPOnUOwoOxUV3hp1ifVzCkbUtYySGTom29VJ8", "hartintercivic.com:voting-solutions:verityoverview:%22,.pdf", "centergate api.pdf", "https://vtbehaviour.commondatastorage.googleapis.com/e6f203e988e7aa801739359c6222dcb181d290fc10de5f61d354d43f8557daa0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583905&Signature=QPgFBr8MN1iCe8SwxWZ4BgTfkaViEC4PHLzUrGQ3Jdndo8Z44osVc0CIRcnkJJtNDFU03AM82A8wJ2jMjaFYoEbthsaxPWWufSulM8nS%2BU8RoCr04jUq5GnAWPVNjxukSTbgD0F7pUSf0pVaFwwvpSWCQ6hedQEwF52DQyViV8u9UDOeLii4rkmRlMfMlGIsxIP4CEwy0Gy8Q7Lw6FX8cxG%2FehoJatyiwaFdwwbbLbnu2lQHDaZuwZ38Oy", "crowdtangle.com 03.29.2017.pdf", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1", "centergate 1.pdf", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "https://www.virustotal.com/graph/embed/g4d28c765e54941129dbbf8d4a8dc25bb3b5452f14e0a4886a0af0c2991188611?theme=dark", "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "TrojanDownloader:Win32/Nemucod" ], "malware_families": [ "Trojan:win32/danabot.g", "Backdoor:win32/poison.e", "Alf:pua:block:iobit.r!mtb", "Dnstrojan", "Win64:trojan-gen", "Win32:cryptor", "Trojan:win32/ausiv!rfn", "Win.virus.polyransom-5704625-0", "Alf:heraklezeval:trojan:win32/eqtonex.f", "Trojan:win32/miner.ka!mtb", "Serwer a przed\u0142u\u017cenie sesji #{text} wojcieszyce pl", "Trojan:pdf/phish.rr!mtb", "Trojandropper:win32/qhost", "Win.ransomware.wannacry-9856297-0", "Tofsee", "Trojan:bat/musecador", "Trojan:msil/ursu.kp", "Eternalrocks", "Telper:cert:softwarebundler:win32/bunpredelt", "Alf:heraklezeval:trojan:msil/gravityrat", "Trojan:win32/conbea!rfn", "Win32:trojanx-gen\\ [trj]", ": alf:trojan:msil/azorult.ac!", "Alf:trojan:win32/cryptwrapper.rt!mtb" ], "industries": [ "Government", "Insurance", "Technology", "Healthcare", "Telecommunications", "Finance", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 47, "pulses": [ { "id": "6a0a062736db89f7c827b1d4", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:58.595000", "created": "2026-05-17T18:17:11.966000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 301, "FileHash-SHA1": 313, "FileHash-SHA256": 774, "URL": 667, "IPv4": 241, "domain": 205, "hostname": 612, "email": 5, "IPv6": 2, "CIDR": 1, "CVE": 23, "JA3": 1 }, "indicator_count": 3145, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a06582d0722271a4599d7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:57.618000", "created": "2026-05-17T18:18:00.792000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065b8e1ccb825970a9e5", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:56.390000", "created": "2026-05-17T18:18:03.742000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065be823d8e9966e18ce", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:55.117000", "created": "2026-05-17T18:18:03.751000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065d1177dadd6522914f", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:54.028000", "created": "2026-05-17T18:18:05.783000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065ebc76096529b575c7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:52.618000", "created": "2026-05-17T18:18:06.287000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e30ffa710fafb6d651ca89", "name": "Kelowna detachment - British Columbia by streamminingex", "description": "", "modified": "2026-04-18T05:46:36.582000", "created": "2026-04-18T05:00:42.166000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6570a552ac0b6570454709f7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 15, "URL": 1354, "FileHash-MD5": 1308, "FileHash-SHA1": 1314, "FileHash-SHA256": 4898, "hostname": 1401, "email": 62, "domain": 1239, "CIDR": 8 }, "indicator_count": 11599, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e30ffde212f52470137868", "name": "Kelowna detachment - British Columbia by streamminingex", "description": "", "modified": "2026-04-18T05:46:26.897000", "created": "2026-04-18T05:00:45.780000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6570a552ac0b6570454709f7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 15, "URL": 1358, "FileHash-MD5": 1308, "FileHash-SHA1": 1314, "FileHash-SHA256": 4898, "hostname": 1405, "email": 62, "domain": 1242, "CIDR": 8 }, "indicator_count": 11610, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6995ec2803ec8263d6cb9902", "name": "Potential for Abuse on Trusted Support Sites", "description": "Analysis of AlienVault OTX data shows that support.apple.com\u2014a whitelisted domain\u2014is associated with 69 malicious files, including Sodinokibi and BazarLoader.\nThe Potential for Abuse:\nBecause these domains are trusted by security filters (like Cisco Umbrella), they may be being used to:\nBypass Firewalls: Mask malicious traffic behind a \"safe\" reputation.\nTarget Vulnerable Users: Exploit the trust of people in high-stress situations who are seeking help.\nHide in Subdomains: Use fragmented assets (like rss.support.*) to avoid active monitoring.\nThe Precaution:\nWhitelisted status does not equal absolute safety. Researchers and users should:\nCheck Certificates: Verify the SSL/TLS Certificate is official.\nVerify Redirects: Check for Open Redirect triggers in links.\nNavigate Directly: Type URLs manually when possible.\nConclusion:\nSupport infrastructure is a high-trust environment. This trust may be being used to target users when they are most vulnerable. Caution is required.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-18T16:43:20.757000", "tags": [], "references": [ "", "msudosos note: Caution is required as I have noticed this accross multiple support sites." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 232, "URL": 112, "domain": 178, "CVE": 23, "FileHash-MD5": 62, "FileHash-SHA1": 59, "FileHash-SHA256": 59, "email": 1 }, "indicator_count": 726, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697488f095f69d392afd00fb", "name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes", "description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T08:55:12.845000", "tags": [ "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "href", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "form", "click", "strings", "error", "tools", "look", "verify", "restart", "active related", "url https", "related pulses", "url http", "united", "czechia", "hong kong", "ipv4", "indicators hong", "kong", "south korea", "netherlands", "germany", "ireland", "denmark", "sweden", "active", "government", "finance", "security", "type indicator", "yara detections", "av detections", "ids detections", "alerts", "analysis date", "mcsf", "microsoft", "yara", "insurance", "fidelity investments", "description", "fidelity international", "ms windows", "pe32", "writeconsolew", "read c", "pe32 executable", "t1045", "susp", "write", "win64", "malware", "modified", "ck ids", "t1040", "sniffing", "packing", "t1112", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "win32", "trojan", "april", "sara ligorria", "tramp advert", "black paper", "createdate", "subject laser", "title laser", "format", "types of", "japan", "regsetvalueexa", "regdword", "regbinary", "module download", "tls handshake", "high", "defense evasion", "discovery att", "adversaries", "title", "role", "flag", "name server", "server", "domain address", "markmonitor", "clicktale ltd", "enom", "whoisguard", "medium", "unicode", "rgba", "delete", "crlf line", "next", "dock", "execution", "date", "users", "tls sni", "total", "cnc domain", "search", "oamazon", "cnamazon rsa", "push", "failure yara", "contacted", "hours ago", "created", "cia", "fbi", "telegram", "tulach", "sabey", "state", "gov", "ahmann", "financial fraud", "t-mobile", "walmartmobile", "life insurance", "fidelity life", "guarantee", "team", "role title", "added active", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "kw3recepten", "domainname0", "searchbox0", "kw1brinta", "kw2muesli", "indicator role", "title added", "pulses url", "cve cve20170147", "apple", "apple id" ], "references": [ "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://bhive.nectar.social/rKvoMY", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "Domains Contacted api.nuget.org", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.fidelity.com/ https://www.fidelity.com/", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "https://www.anyxxxtube.net/search-porn/", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "https://bhive.nectar.social/rKvoMY", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "http://appleid.app", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64:Trojan-gen", "display_name": "Win64:Trojan-gen", "target": null }, { "id": "Trojan:MSIL/Ursu.KP", "display_name": "Trojan:MSIL/Ursu.KP", "target": "/malware/Trojan:MSIL/Ursu.KP" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "target": null }, { "id": "Trojan:PDF/Phish.RR!MTB", "display_name": "Trojan:PDF/Phish.RR!MTB", "target": "/malware/Trojan:PDF/Phish.RR!MTB" }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": ": ALF:Trojan:MSIL/Azorult.AC!", "display_name": ": ALF:Trojan:MSIL/Azorult.AC!", "target": null }, { "id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "target": null }, { "id": "Trojan:Win32/Conbea!rfn", "display_name": "Trojan:Win32/Conbea!rfn", "target": "/malware/Trojan:Win32/Conbea!rfn" }, { "id": "Trojan:Win32/Ausiv!rfn", "display_name": "Trojan:Win32/Ausiv!rfn", "target": "/malware/Trojan:Win32/Ausiv!rfn" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "target": null }, { "id": "Trojan:BAT/Musecador", "display_name": "Trojan:BAT/Musecador", "target": "/malware/Trojan:BAT/Musecador" }, { "id": "TrojanDropper:Win32/Qhost", "display_name": "TrojanDropper:Win32/Qhost", "target": "/malware/TrojanDropper:Win32/Qhost" }, { "id": "Trojan:Win32/Miner.KA!MTB", "display_name": "Trojan:Win32/Miner.KA!MTB", "target": "/malware/Trojan:Win32/Miner.KA!MTB" }, { "id": "DNSTrojan", "display_name": "DNSTrojan", "target": null }, { "id": "EternalRocks", "display_name": "EternalRocks", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Finance", "Insurance" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2793, "URL": 6639, "FileHash-SHA256": 2462, "domain": 1070, "FileHash-MD5": 307, "FileHash-SHA1": 186, "SSLCertFingerprint": 1, "email": 1, "CVE": 3 }, "indicator_count": 13462, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "apache.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "apache.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780212835.9453545 }