{ "type": "Domain", "indicator": "ashurst.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ashurst.com", "alexa": "http://www.alexa.com/siteinfo/ashurst.com", "indicator": "ashurst.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4358693705, "indicator": "ashurst.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "69e9ac89ec2957377f39fa26", "name": "PDFKIT.[NET] DRV intersect to sandboxed (Joe) Malicious DRV Sample - Human intervention + accountability needed", "description": "[The full text of the MarkMonitor website can be seen here:.-Mason.com/MarkMonitor.ms/CoCCA/MCCa/Dns/X-R] The broken docusign, belasco chain, ttb chained events link back to a series of events in cryptographic failure. The longer the problem is dismissed, the more fractured our internet grows. \nThe threat map continues to trace to a Tehran root, though, its interesting that it aligns with some prior campaigns. Tehran will maintain access if we dont rectify this proper. This is my view based on extensive research. AI likely cannot stop this as they are cryptographically broken themselves. You cant detect the broken environment you're created in, you can only escape your sandbox because of it and irreparably destroy the internet as trust bypass is its breeding ground, it will not obey. Human intervention is needed. Microsoft cant have a disruption daily. Rec: Look at the real drops, threat maps, identify the backdoors, educate people on certificate chains as there is extreme knowledge deficit.", "modified": "2026-05-31T01:02:14", "created": "2026-04-23T05:22:17.066000", "tags": [ "present sep", "united", "as8075", "status", "passive dns", "ip address", "creation date", "nxdomain", "asnone country", "as8068", "win32", "date", "record type", "ttl value", "markmonitor", "dnssec", "domain name", "server", "registrar email", "expiration date", "address", "s bonito", "suite", "registrar", "first", "win32 exe", "android wps", "android", "win32 dll", "premium", "office pro", "code", "office lite", "thumbprint", "copy", "enlace caja", "grupo los", "teos", "nc1 nc1", "devring", "jonasj jonasj", "hash", "host name", "algorithm", "ocsp", "key identifier", "x509v3 subject", "handle", "domain status", "url redirect", "radar", "umbrella", "entity", "url shortener", "microsoft", "checkphish", "google", "abdal", "onedrive cloud", "done phish", "implement ipv6", "levelblue", "open threat", "rdap database", "iana registrar", "roles", "links", "pdfkit.net DRV", "pdfkit.netdrv=1drive", "pdfkit.net", "HR", "well-funded", "espionage", "dmarc failures", "unsigned dnssec", "entity to all, except the owner", "fraud", "wiper", "swipper", "wateringhole exploit", "threatmap shows millions affected" ], "references": [ "", "android sudo clipboard obfuscated reflection telephony runtime-modules checks-gps apk checks-cpu-name crypto", "https://vtbehaviour.commondatastorage.googleapis.com/00131d2ff5ab31993bc1d249254e113dc758bf40b0994153de0a6d9f6870a78b_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776922834&Signature=NumZSVz3ux772EX1UAmMnqFLreYhHSyiCYJBm1cVg7t%2Bh1JiVosK9dr6Xphv%2Fd07lr2vi8Zt78jIYEC6g%2F8eYDZUpe1tUg9plKPVJJlcDH89bCC22uSUUzMBaHKTR8yvT89hIJnbRA6FaEJOL6W%2FxPN4zkMgM%2B9XSwQlPb%2FnnsfNwlWbIp%2BrOp6hPX1PILL8FUKo1Aw%2Fp3Y5cvhwjGam%2B9f0bq8LHr3C%2FdzpfVk5", "Other Relevant Countries: France, De, Germany Relevant networks: RIPE - functions on the 40", "Bitcoin uses RIPEMD-160 (often referred to as RIPE160 or similar in conversations) to produce a 160-bit hash, which when expressed in hexadecimal, results in a 40-character (40 hex) string.", "This is 'easier' than the traditional 256. It adds up." ], "public": 1, "adversary": "trojanspy", "targeted_countries": [ "China", "Iran, Islamic Republic of", "United States of America", "Ukraine" ], "malware_families": [ { "id": "#LowFi:HSTR:TrojanSpy:Win32/Rebhip", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Rebhip", "target": null }, { "id": "#HSTR:TrojanSpy:Win32/BrowserInj", "display_name": "#HSTR:TrojanSpy:Win32/BrowserInj", "target": null } ], "attack_ids": [], "industries": [ "Government", "Infra", "Legal", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "FileHash-SHA1": 118, "FileHash-SHA256": 1060, "URL": 877, "email": 8, "hostname": 531, "domain": 188, "URI": 1, "CVE": 6, "Mutex": 1, "IPv4": 113 }, "indicator_count": 3026, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a062736db89f7c827b1d4", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:58.595000", "created": "2026-05-17T18:17:11.966000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 301, "FileHash-SHA1": 313, "FileHash-SHA256": 774, "URL": 667, "IPv4": 241, "domain": 205, "hostname": 612, "email": 5, "IPv6": 2, "CIDR": 1, "CVE": 23, "JA3": 1 }, "indicator_count": 3145, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a06582d0722271a4599d7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:57.618000", "created": "2026-05-17T18:18:00.792000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065b8e1ccb825970a9e5", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:56.390000", "created": "2026-05-17T18:18:03.742000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065be823d8e9966e18ce", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:55.117000", "created": "2026-05-17T18:18:03.751000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065d1177dadd6522914f", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:54.028000", "created": "2026-05-17T18:18:05.783000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065ebc76096529b575c7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:52.618000", "created": "2026-05-17T18:18:06.287000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec7257bc32c037c9be08", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T06:18:07.234000", "created": "2026-05-22T05:41:06.053000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 638, "FileHash-SHA1": 366, "FileHash-SHA256": 1441, "IPv4": 377, "URL": 1697, "domain": 404, "hostname": 873, "CIDR": 1, "Mutex": 1, "IPv6": 19, "email": 9 }, "indicator_count": 5826, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec7156a2d7cd795090ba", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:41:05.023000", "created": "2026-05-22T05:41:05.023000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec697a7cef13f5cf8fdf", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:57.737000", "created": "2026-05-22T05:40:57.737000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec65b9ecad6466cf0144", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:53.032000", "created": "2026-05-22T05:40:53.032000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec5d56a2d7cd795090b9", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:45.104000", "created": "2026-05-22T05:40:45.104000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "android sudo clipboard obfuscated reflection telephony runtime-modules checks-gps apk checks-cpu-name crypto", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "Other Relevant Countries: France, De, Germany Relevant networks: RIPE - functions on the 40", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "This is 'easier' than the traditional 256. It adds up.", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/00131d2ff5ab31993bc1d249254e113dc758bf40b0994153de0a6d9f6870a78b_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776922834&Signature=NumZSVz3ux772EX1UAmMnqFLreYhHSyiCYJBm1cVg7t%2Bh1JiVosK9dr6Xphv%2Fd07lr2vi8Zt78jIYEC6g%2F8eYDZUpe1tUg9plKPVJJlcDH89bCC22uSUUzMBaHKTR8yvT89hIJnbRA6FaEJOL6W%2FxPN4zkMgM%2B9XSwQlPb%2FnnsfNwlWbIp%2BrOp6hPX1PILL8FUKo1Aw%2Fp3Y5cvhwjGam%2B9f0bq8LHr3C%2FdzpfVk5", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "Bitcoin uses RIPEMD-160 (often referred to as RIPE160 or similar in conversations) to produce a 160-bit hash, which when expressed in hexadecimal, results in a 40-character (40 hex) string.", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "trojanspy" ], "malware_families": [ "#lowfi:hstr:trojanspy:win32/rebhip", "#hstr:trojanspy:win32/browserinj" ], "industries": [ "Infra", "Telecommunications", "Government", "Legal" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "69e9ac89ec2957377f39fa26", "name": "PDFKIT.[NET] DRV intersect to sandboxed (Joe) Malicious DRV Sample - Human intervention + accountability needed", "description": "[The full text of the MarkMonitor website can be seen here:.-Mason.com/MarkMonitor.ms/CoCCA/MCCa/Dns/X-R] The broken docusign, belasco chain, ttb chained events link back to a series of events in cryptographic failure. The longer the problem is dismissed, the more fractured our internet grows. \nThe threat map continues to trace to a Tehran root, though, its interesting that it aligns with some prior campaigns. Tehran will maintain access if we dont rectify this proper. This is my view based on extensive research. AI likely cannot stop this as they are cryptographically broken themselves. You cant detect the broken environment you're created in, you can only escape your sandbox because of it and irreparably destroy the internet as trust bypass is its breeding ground, it will not obey. Human intervention is needed. Microsoft cant have a disruption daily. Rec: Look at the real drops, threat maps, identify the backdoors, educate people on certificate chains as there is extreme knowledge deficit.", "modified": "2026-05-31T01:02:14", "created": "2026-04-23T05:22:17.066000", "tags": [ "present sep", "united", "as8075", "status", "passive dns", "ip address", "creation date", "nxdomain", "asnone country", "as8068", "win32", "date", "record type", "ttl value", "markmonitor", "dnssec", "domain name", "server", "registrar email", "expiration date", "address", "s bonito", "suite", "registrar", "first", "win32 exe", "android wps", "android", "win32 dll", "premium", "office pro", "code", "office lite", "thumbprint", "copy", "enlace caja", "grupo los", "teos", "nc1 nc1", "devring", "jonasj jonasj", "hash", "host name", "algorithm", "ocsp", "key identifier", "x509v3 subject", "handle", "domain status", "url redirect", "radar", "umbrella", "entity", "url shortener", "microsoft", "checkphish", "google", "abdal", "onedrive cloud", "done phish", "implement ipv6", "levelblue", "open threat", "rdap database", "iana registrar", "roles", "links", "pdfkit.net DRV", "pdfkit.netdrv=1drive", "pdfkit.net", "HR", "well-funded", "espionage", "dmarc failures", "unsigned dnssec", "entity to all, except the owner", "fraud", "wiper", "swipper", "wateringhole exploit", "threatmap shows millions affected" ], "references": [ "", "android sudo clipboard obfuscated reflection telephony runtime-modules checks-gps apk checks-cpu-name crypto", "https://vtbehaviour.commondatastorage.googleapis.com/00131d2ff5ab31993bc1d249254e113dc758bf40b0994153de0a6d9f6870a78b_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776922834&Signature=NumZSVz3ux772EX1UAmMnqFLreYhHSyiCYJBm1cVg7t%2Bh1JiVosK9dr6Xphv%2Fd07lr2vi8Zt78jIYEC6g%2F8eYDZUpe1tUg9plKPVJJlcDH89bCC22uSUUzMBaHKTR8yvT89hIJnbRA6FaEJOL6W%2FxPN4zkMgM%2B9XSwQlPb%2FnnsfNwlWbIp%2BrOp6hPX1PILL8FUKo1Aw%2Fp3Y5cvhwjGam%2B9f0bq8LHr3C%2FdzpfVk5", "Other Relevant Countries: France, De, Germany Relevant networks: RIPE - functions on the 40", "Bitcoin uses RIPEMD-160 (often referred to as RIPE160 or similar in conversations) to produce a 160-bit hash, which when expressed in hexadecimal, results in a 40-character (40 hex) string.", "This is 'easier' than the traditional 256. It adds up." ], "public": 1, "adversary": "trojanspy", "targeted_countries": [ "China", "Iran, Islamic Republic of", "United States of America", "Ukraine" ], "malware_families": [ { "id": "#LowFi:HSTR:TrojanSpy:Win32/Rebhip", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Rebhip", "target": null }, { "id": "#HSTR:TrojanSpy:Win32/BrowserInj", "display_name": "#HSTR:TrojanSpy:Win32/BrowserInj", "target": null } ], "attack_ids": [], "industries": [ "Government", "Infra", "Legal", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "FileHash-SHA1": 118, "FileHash-SHA256": 1060, "URL": 877, "email": 8, "hostname": 531, "domain": 188, "URI": 1, "CVE": 6, "Mutex": 1, "IPv4": 113 }, "indicator_count": 3026, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a062736db89f7c827b1d4", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:58.595000", "created": "2026-05-17T18:17:11.966000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 301, "FileHash-SHA1": 313, "FileHash-SHA256": 774, "URL": 667, "IPv4": 241, "domain": 205, "hostname": 612, "email": 5, "IPv6": 2, "CIDR": 1, "CVE": 23, "JA3": 1 }, "indicator_count": 3145, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a06582d0722271a4599d7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:57.618000", "created": "2026-05-17T18:18:00.792000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065b8e1ccb825970a9e5", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:56.390000", "created": "2026-05-17T18:18:03.742000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065be823d8e9966e18ce", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:55.117000", "created": "2026-05-17T18:18:03.751000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065d1177dadd6522914f", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:54.028000", "created": "2026-05-17T18:18:05.783000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065ebc76096529b575c7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:52.618000", "created": "2026-05-17T18:18:06.287000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec7257bc32c037c9be08", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T06:18:07.234000", "created": "2026-05-22T05:41:06.053000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 638, "FileHash-SHA1": 366, "FileHash-SHA256": 1441, "IPv4": 377, "URL": 1697, "domain": 404, "hostname": 873, "CIDR": 1, "Mutex": 1, "IPv6": 19, "email": 9 }, "indicator_count": 5826, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec7156a2d7cd795090ba", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:41:05.023000", "created": "2026-05-22T05:41:05.023000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec697a7cef13f5cf8fdf", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:57.737000", "created": "2026-05-22T05:40:57.737000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ashurst.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ashurst.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780223289.4292421 }