{ "type": "URL", "indicator": "https://d.symcb.com/rpa0@", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://d.symcb.com/rpa0@", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #246", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain symcb.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2800321499, "indicator": "https://d.symcb.com/rpa0@", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69de16a3c7cc241533da1de7", "name": "CAPE Sandbox", "description": "The full text of the full report on the events of 9 January 2016:-17 February 2017.. and the details will appear on Facebook, Twitter, Instagram and iPlayer, as well as BBC News.Publicly sourced data.", "modified": "2026-05-14T11:12:02.310000", "created": "2026-04-14T10:27:47.855000", "tags": [ "default", "win1", "acrongl integ", "adc4240758", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "angsana new", "accept", "shutdown", "bits", "users", "files c", "registry keys", "parent pid", "full path", "command line", "mutexes nothing", "settings c", "users c", "file type", "ascii text", "html document", "ascii", "smtp", "united", "pe file", "ms windows", "found", "pe32", "exploit", "window", "mydoom", "malicious", "next", "windows sandbox", "calls process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776161759&Signature=r%2BKlsLyBnYpOeeNHzRs9%2B7pdGx2v0X0pOyuXLCoa%2BnUPUCVB26zsfTA6MkxYVG1EJEHvnIlhFuROVrTGOBD3iJ8Pi88PQMXIZ3v2jPn9uE50%2B7sfn3PB%2FD2SBG1luKM%2BcX4xmmAa9lBeO4YV7eHLZRuujfrNAD1p7ibfanLrhtk7C%2BooBJ%2BBrhzZgQiVRPozazGmTh0p9ZDu5uwqfnNncRfsUH3MC2DU7%2F2lLeIXl2i4", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162253&Signature=DsUEk3x0D0tLMeH64e%2BL%2BU0fmDQgZPub6sr2i81od6MJcTmkUHTvUwY4TX7A4UF7CHp6x9os7H6ACU0L6ZaarkQrPNm5dsT7lulfOTfMO4b8%2B9vETdbWgCFKDoxSh1JDRedcaByU9eHDx1EubCyeCzVwlhIQD6DY731Nqnbs%2FbM6xAvxXIrjJXGTEIhmWk2rwD9E7fIYWKxJ3PIwdd9LxuRcfsiqFrEfxSfL%2FhCUtkAzP9VJk%2B", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162273&Signature=sHM7md8FG3NGW4EaoHgxxJxesr%2BwB7HqWHK1D3tULtGS5B9x6lSEfz%2F7oBPbC%2FW1AjBMAQvDCNRY5nUYvLs9v1lyCmWTdlaXzqGLXKKucME3uJxTnsyz%2BD1NufC0hBTMCOi72Sr8g6t%2Fs0AUKgWVoI%2FzNNPjkBnA8yhuPJDg%2FagW1ZWHbCCmuvDq89e7cuw7zAwSyLYepQaw6NwWxkbXxbLmCPt8NgH1FxvePXTh2u6kEBUkC3rfaYMz", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162432&Signature=TWbtmQs4bcHbMfmTekVuORg%2BkrtroxYd8P8uC5usycoJ%2BB%2FHow0wKjA9ZjhOZxjEmMD0SR0LJtJtz9WjU4Bo%2BUGImGkUS%2BpVWmWEUlAnFAifUeH4f5YQ%2F6cNsYropo5WcFbSSs5CBkVFTFkx0oi7v6eoTVbSOB6ZuXf3th4SLotta8FcMAzmgs6224SExEQaOgbe8HNnU%2F7BqF5906uMA793JnqbInA83%2BrUvFoO1vo3f%", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162454&Signature=s%2FL8LyYQ5ohWNf8k%2F4%2BjtOHEZw%2FPBQ50rPOAG6qtrJE1i6GAlRl5exjz0kySLyFUjqw1a%2BRmbp%2BGOUpGT1lFr%2FJQ6MrmypYvlc6FB451hDVD6FGhK1ux%2FDBdqi3jA5ZcM0TBp9nG%2FzUmdBcnXGtpTT6vgdZpgZT6%2FcaTnDSXLieEgVqCAgVX%2FZFQg3ZVxCBndzTcuRqQmR2axdb1QaRQ%2BIFIaYonKsJt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 346, "FileHash-SHA1": 338, "FileHash-SHA256": 859, "URL": 1100, "hostname": 374, "domain": 30 }, "indicator_count": 3047, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc4d77afa81737a1d6262c", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.667000", "created": "2026-05-07T08:29:43.174000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc4d769e89dc96fce03ffe", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.571000", "created": "2026-05-07T08:29:42.377000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc4d75bbb155224dcb27b7", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:55.728000", "created": "2026-05-07T08:29:41.963000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 30, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 432, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5dc7f14703534399a9bc0", "name": "Credit Arek-BTC [DF8947065D551A0314.TMP]", "description": "", "modified": "2026-05-02T11:14:07.669000", "created": "2026-05-02T11:14:07.669000", "tags": [ "cascadia code", "cascadia mono", "semibold italic", "code light", "italic cascadia", "mono bold", "code extralight", "light cascadia", "code semibold", "code bold", "verified", "corporation", "proces hosta", "publisher", "pagefile", "wystpi", "zapisywania w", "nazwa pliku", "pagefile backed", "google llc", "unknown", "virustotal", "google chrome", "microsoft edge", "runtime broker", "com surrogate", "host microsoft", "experience host", "cpu private", "segoe ui", "georgia pro", "courier new", "meiryo ui", "angsana new", "cordia new", "trebuchet ms", "new roman", "times new", "bold italic", "lodi", "black", "light", "hardware id", "ph d", "xh d", "hh d", "ph l", "xh t", "ph t", "hh t", "setreginfhwid", "enter case", "null", "fail", "class", "find", "leave", "agent", "install", "restart", "devcon", "insert", "error", "trace", "reboot", "date", "play", "obsolete" ], "references": [ "RestSharp.xml", "uploader.exe.config", "FontCache-FontSet-S-1-5-21-180148034-4076160886-2845755598-1001.dat.txt", "msedgewebview2.exe.txt", "lsass.exe.txt", "FontCache-System.dat.txt", "AdminService.exe.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "68872d10659d7e4fd947dabc", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 11, "URL": 28, "FileHash-SHA256": 419, "FileHash-MD5": 28, "FileHash-SHA1": 28 }, "indicator_count": 514, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68872d10659d7e4fd947dabc", "name": "~DF8947065D551A0314.TMP", "description": "https://www.virustotal.com/gui/file/205d000aa762f3a96ac3ad4b25d791b5f7fc8efb9056b78f299f671a02b9fd21/relations\nhttps://www.virustotal.com/gui/file/c7a68ec7facd2e90359f2cf414595f5533e86af8f5f61866c59388accac90d3c/relations", "modified": "2025-10-01T00:01:22.860000", "created": "2025-07-28T07:56:00.429000", "tags": [ "cascadia code", "cascadia mono", "semibold italic", "code light", "italic cascadia", "mono bold", "code extralight", "light cascadia", "code semibold", "code bold", "verified", "corporation", "proces hosta", "publisher", "pagefile", "wystpi", "zapisywania w", "nazwa pliku", "pagefile backed", "google llc", "unknown", "virustotal", "google chrome", "microsoft edge", "runtime broker", "com surrogate", "host microsoft", "experience host", "cpu private", "segoe ui", "georgia pro", "courier new", "meiryo ui", "angsana new", "cordia new", "trebuchet ms", "new roman", "times new", "bold italic", "lodi", "black", "light", "hardware id", "ph d", "xh d", "hh d", "ph l", "xh t", "ph t", "hh t", "setreginfhwid", "enter case", "null", "fail", "class", "find", "leave", "agent", "install", "restart", "devcon", "insert", "error", "trace", "reboot", "date", "play", "obsolete" ], "references": [ "RestSharp.xml", "uploader.exe.config", "FontCache-FontSet-S-1-5-21-180148034-4076160886-2845755598-1001.dat.txt", "msedgewebview2.exe.txt", "lsass.exe.txt", "FontCache-System.dat.txt", "AdminService.exe.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 11, "URL": 28, "FileHash-SHA256": 419, "FileHash-MD5": 28, "FileHash-SHA1": 28 }, "indicator_count": 514, "is_author": false, "is_subscribing": null, "subscriber_count": 126, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708ff8e1cd2e25819001c6", "name": "https://d1x9snl812q4nd.cloudfront.net/installer/com.supercell.boombeach/Boom_Beach-soft32epic99.exe", "description": "", "modified": "2023-12-06T15:15:04.906000", "created": "2023-12-06T15:15:04.906000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 132, "URL": 145, "hostname": 11, "FileHash-MD5": 68, "CVE": 1, "domain": 22, "FileHash-SHA1": 23, "SSLCertFingerprint": 2 }, "indicator_count": 404, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62bc6e8c81962fea1a414234", "name": "https://d1x9snl812q4nd.cloudfront.net/installer/com.supercell.boombeach/Boom_Beach-soft32epic99.exe", "description": "Boom_Beach-soft32epic99.exe\nCVE-2021-22941", "modified": "2022-07-29T00:00:24.010000", "created": "2022-06-29T15:23:56.541000", "tags": [ "ck id", "installer", "powershell", "media", "delphi", "february", "template", "april", "august", "launch", "install", "null", "blank", "green", "spool", "little", "team", "ip check", "Boom_Beach-soft32epic99.exe", "CVE-2021-22941" ], "references": [ "http://checkip.dyndns.org/Gelir_idaresi_Baskanligi/gib.exe", "http://84.22.104.244/data.exe", "http://iphones5sg.name/data.exe", "http://comslibingmakk.asia/data.exe", "https://hybrid-analysis.com/sample/4681d0b707c72394d9951a96d1bbdd4749299437dd4d43e0c9e63fb7a84f9cd1/62bc6a0a3092241dc7209dd2", "Boom_Beach-soft32epic99.exe", "CVE-2021-22941" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 132, "URL": 145, "hostname": 11, "domain": 22, "CVE": 1, "FileHash-MD5": 68, "FileHash-SHA1": 23, "SSLCertFingerprint": 2 }, "indicator_count": 404, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "AdminService.exe.txt", "lsass.exe.txt", "FontCache-System.dat.txt", "http://checkip.dyndns.org/Gelir_idaresi_Baskanligi/gib.exe", "http://84.22.104.244/data.exe", "msedgewebview2.exe.txt", "uploader.exe.config", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162432&Signature=TWbtmQs4bcHbMfmTekVuORg%2BkrtroxYd8P8uC5usycoJ%2BB%2FHow0wKjA9ZjhOZxjEmMD0SR0LJtJtz9WjU4Bo%2BUGImGkUS%2BpVWmWEUlAnFAifUeH4f5YQ%2F6cNsYropo5WcFbSSs5CBkVFTFkx0oi7v6eoTVbSOB6ZuXf3th4SLotta8FcMAzmgs6224SExEQaOgbe8HNnU%2F7BqF5906uMA793JnqbInA83%2BrUvFoO1vo3f%", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162273&Signature=sHM7md8FG3NGW4EaoHgxxJxesr%2BwB7HqWHK1D3tULtGS5B9x6lSEfz%2F7oBPbC%2FW1AjBMAQvDCNRY5nUYvLs9v1lyCmWTdlaXzqGLXKKucME3uJxTnsyz%2BD1NufC0hBTMCOi72Sr8g6t%2Fs0AUKgWVoI%2FzNNPjkBnA8yhuPJDg%2FagW1ZWHbCCmuvDq89e7cuw7zAwSyLYepQaw6NwWxkbXxbLmCPt8NgH1FxvePXTh2u6kEBUkC3rfaYMz", "RestSharp.xml", "https://hybrid-analysis.com/sample/4681d0b707c72394d9951a96d1bbdd4749299437dd4d43e0c9e63fb7a84f9cd1/62bc6a0a3092241dc7209dd2", "FontCache-FontSet-S-1-5-21-180148034-4076160886-2845755598-1001.dat.txt", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162253&Signature=DsUEk3x0D0tLMeH64e%2BL%2BU0fmDQgZPub6sr2i81od6MJcTmkUHTvUwY4TX7A4UF7CHp6x9os7H6ACU0L6ZaarkQrPNm5dsT7lulfOTfMO4b8%2B9vETdbWgCFKDoxSh1JDRedcaByU9eHDx1EubCyeCzVwlhIQD6DY731Nqnbs%2FbM6xAvxXIrjJXGTEIhmWk2rwD9E7fIYWKxJ3PIwdd9LxuRcfsiqFrEfxSfL%2FhCUtkAzP9VJk%2B", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776161759&Signature=r%2BKlsLyBnYpOeeNHzRs9%2B7pdGx2v0X0pOyuXLCoa%2BnUPUCVB26zsfTA6MkxYVG1EJEHvnIlhFuROVrTGOBD3iJ8Pi88PQMXIZ3v2jPn9uE50%2B7sfn3PB%2FD2SBG1luKM%2BcX4xmmAa9lBeO4YV7eHLZRuujfrNAD1p7ibfanLrhtk7C%2BooBJ%2BBrhzZgQiVRPozazGmTh0p9ZDu5uwqfnNncRfsUH3MC2DU7%2F2lLeIXl2i4", "http://comslibingmakk.asia/data.exe", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162454&Signature=s%2FL8LyYQ5ohWNf8k%2F4%2BjtOHEZw%2FPBQ50rPOAG6qtrJE1i6GAlRl5exjz0kySLyFUjqw1a%2BRmbp%2BGOUpGT1lFr%2FJQ6MrmypYvlc6FB451hDVD6FGhK1ux%2FDBdqi3jA5ZcM0TBp9nG%2FzUmdBcnXGtpTT6vgdZpgZT6%2FcaTnDSXLieEgVqCAgVX%2FZFQg3ZVxCBndzTcuRqQmR2axdb1QaRQ%2BIFIaYonKsJt", "Boom_Beach-soft32epic99.exe", "CVE-2021-22941", "http://iphones5sg.name/data.exe" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 2713 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/symcb.com", "whois": "http://whois.domaintools.com/symcb.com", "domain": "symcb.com", "hostname": "d.symcb.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69de16a3c7cc241533da1de7", "name": "CAPE Sandbox", "description": "The full text of the full report on the events of 9 January 2016:-17 February 2017.. and the details will appear on Facebook, Twitter, Instagram and iPlayer, as well as BBC News.Publicly sourced data.", "modified": "2026-05-14T11:12:02.310000", "created": "2026-04-14T10:27:47.855000", "tags": [ "default", "win1", "acrongl integ", "adc4240758", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "angsana new", "accept", "shutdown", "bits", "users", "files c", "registry keys", "parent pid", "full path", "command line", "mutexes nothing", "settings c", "users c", "file type", "ascii text", "html document", "ascii", "smtp", "united", "pe file", "ms windows", "found", "pe32", "exploit", "window", "mydoom", "malicious", "next", "windows sandbox", "calls process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776161759&Signature=r%2BKlsLyBnYpOeeNHzRs9%2B7pdGx2v0X0pOyuXLCoa%2BnUPUCVB26zsfTA6MkxYVG1EJEHvnIlhFuROVrTGOBD3iJ8Pi88PQMXIZ3v2jPn9uE50%2B7sfn3PB%2FD2SBG1luKM%2BcX4xmmAa9lBeO4YV7eHLZRuujfrNAD1p7ibfanLrhtk7C%2BooBJ%2BBrhzZgQiVRPozazGmTh0p9ZDu5uwqfnNncRfsUH3MC2DU7%2F2lLeIXl2i4", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162253&Signature=DsUEk3x0D0tLMeH64e%2BL%2BU0fmDQgZPub6sr2i81od6MJcTmkUHTvUwY4TX7A4UF7CHp6x9os7H6ACU0L6ZaarkQrPNm5dsT7lulfOTfMO4b8%2B9vETdbWgCFKDoxSh1JDRedcaByU9eHDx1EubCyeCzVwlhIQD6DY731Nqnbs%2FbM6xAvxXIrjJXGTEIhmWk2rwD9E7fIYWKxJ3PIwdd9LxuRcfsiqFrEfxSfL%2FhCUtkAzP9VJk%2B", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162273&Signature=sHM7md8FG3NGW4EaoHgxxJxesr%2BwB7HqWHK1D3tULtGS5B9x6lSEfz%2F7oBPbC%2FW1AjBMAQvDCNRY5nUYvLs9v1lyCmWTdlaXzqGLXKKucME3uJxTnsyz%2BD1NufC0hBTMCOi72Sr8g6t%2Fs0AUKgWVoI%2FzNNPjkBnA8yhuPJDg%2FagW1ZWHbCCmuvDq89e7cuw7zAwSyLYepQaw6NwWxkbXxbLmCPt8NgH1FxvePXTh2u6kEBUkC3rfaYMz", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162432&Signature=TWbtmQs4bcHbMfmTekVuORg%2BkrtroxYd8P8uC5usycoJ%2BB%2FHow0wKjA9ZjhOZxjEmMD0SR0LJtJtz9WjU4Bo%2BUGImGkUS%2BpVWmWEUlAnFAifUeH4f5YQ%2F6cNsYropo5WcFbSSs5CBkVFTFkx0oi7v6eoTVbSOB6ZuXf3th4SLotta8FcMAzmgs6224SExEQaOgbe8HNnU%2F7BqF5906uMA793JnqbInA83%2BrUvFoO1vo3f%", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162454&Signature=s%2FL8LyYQ5ohWNf8k%2F4%2BjtOHEZw%2FPBQ50rPOAG6qtrJE1i6GAlRl5exjz0kySLyFUjqw1a%2BRmbp%2BGOUpGT1lFr%2FJQ6MrmypYvlc6FB451hDVD6FGhK1ux%2FDBdqi3jA5ZcM0TBp9nG%2FzUmdBcnXGtpTT6vgdZpgZT6%2FcaTnDSXLieEgVqCAgVX%2FZFQg3ZVxCBndzTcuRqQmR2axdb1QaRQ%2BIFIaYonKsJt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 346, "FileHash-SHA1": 338, "FileHash-SHA256": 859, "URL": 1100, "hostname": 374, "domain": 30 }, "indicator_count": 3047, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc4d77afa81737a1d6262c", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.667000", "created": "2026-05-07T08:29:43.174000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc4d769e89dc96fce03ffe", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.571000", "created": "2026-05-07T08:29:42.377000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc4d75bbb155224dcb27b7", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:55.728000", "created": "2026-05-07T08:29:41.963000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 30, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 432, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5dc7f14703534399a9bc0", "name": "Credit Arek-BTC [DF8947065D551A0314.TMP]", "description": "", "modified": "2026-05-02T11:14:07.669000", "created": "2026-05-02T11:14:07.669000", "tags": [ "cascadia code", "cascadia mono", "semibold italic", "code light", "italic cascadia", "mono bold", "code extralight", "light cascadia", "code semibold", "code bold", "verified", "corporation", "proces hosta", "publisher", "pagefile", "wystpi", "zapisywania w", "nazwa pliku", "pagefile backed", "google llc", "unknown", "virustotal", "google chrome", "microsoft edge", "runtime broker", "com surrogate", "host microsoft", "experience host", "cpu private", "segoe ui", "georgia pro", "courier new", "meiryo ui", "angsana new", "cordia new", "trebuchet ms", "new roman", "times new", "bold italic", "lodi", "black", "light", "hardware id", "ph d", "xh d", "hh d", "ph l", "xh t", "ph t", "hh t", "setreginfhwid", "enter case", "null", "fail", "class", "find", "leave", "agent", "install", "restart", "devcon", "insert", "error", "trace", "reboot", "date", "play", "obsolete" ], "references": [ "RestSharp.xml", "uploader.exe.config", "FontCache-FontSet-S-1-5-21-180148034-4076160886-2845755598-1001.dat.txt", "msedgewebview2.exe.txt", "lsass.exe.txt", "FontCache-System.dat.txt", "AdminService.exe.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "68872d10659d7e4fd947dabc", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 11, "URL": 28, "FileHash-SHA256": 419, "FileHash-MD5": 28, "FileHash-SHA1": 28 }, "indicator_count": 514, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68872d10659d7e4fd947dabc", "name": "~DF8947065D551A0314.TMP", "description": "https://www.virustotal.com/gui/file/205d000aa762f3a96ac3ad4b25d791b5f7fc8efb9056b78f299f671a02b9fd21/relations\nhttps://www.virustotal.com/gui/file/c7a68ec7facd2e90359f2cf414595f5533e86af8f5f61866c59388accac90d3c/relations", "modified": "2025-10-01T00:01:22.860000", "created": "2025-07-28T07:56:00.429000", "tags": [ "cascadia code", "cascadia mono", "semibold italic", "code light", "italic cascadia", "mono bold", "code extralight", "light cascadia", "code semibold", "code bold", "verified", "corporation", "proces hosta", "publisher", "pagefile", "wystpi", "zapisywania w", "nazwa pliku", "pagefile backed", "google llc", "unknown", "virustotal", "google chrome", "microsoft edge", "runtime broker", "com surrogate", "host microsoft", "experience host", "cpu private", "segoe ui", "georgia pro", "courier new", "meiryo ui", "angsana new", "cordia new", "trebuchet ms", "new roman", "times new", "bold italic", "lodi", "black", "light", "hardware id", "ph d", "xh d", "hh d", "ph l", "xh t", "ph t", "hh t", "setreginfhwid", "enter case", "null", "fail", "class", "find", "leave", "agent", "install", "restart", "devcon", "insert", "error", "trace", "reboot", "date", "play", "obsolete" ], "references": [ "RestSharp.xml", "uploader.exe.config", "FontCache-FontSet-S-1-5-21-180148034-4076160886-2845755598-1001.dat.txt", "msedgewebview2.exe.txt", "lsass.exe.txt", "FontCache-System.dat.txt", "AdminService.exe.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 11, "URL": 28, "FileHash-SHA256": 419, "FileHash-MD5": 28, "FileHash-SHA1": 28 }, "indicator_count": 514, "is_author": false, "is_subscribing": null, "subscriber_count": 126, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708ff8e1cd2e25819001c6", "name": "https://d1x9snl812q4nd.cloudfront.net/installer/com.supercell.boombeach/Boom_Beach-soft32epic99.exe", "description": "", "modified": "2023-12-06T15:15:04.906000", "created": "2023-12-06T15:15:04.906000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 132, "URL": 145, "hostname": 11, "FileHash-MD5": 68, "CVE": 1, "domain": 22, "FileHash-SHA1": 23, "SSLCertFingerprint": 2 }, "indicator_count": 404, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62bc6e8c81962fea1a414234", "name": "https://d1x9snl812q4nd.cloudfront.net/installer/com.supercell.boombeach/Boom_Beach-soft32epic99.exe", "description": "Boom_Beach-soft32epic99.exe\nCVE-2021-22941", "modified": "2022-07-29T00:00:24.010000", "created": "2022-06-29T15:23:56.541000", "tags": [ "ck id", "installer", "powershell", "media", "delphi", "february", "template", "april", "august", "launch", "install", "null", "blank", "green", "spool", "little", "team", "ip check", "Boom_Beach-soft32epic99.exe", "CVE-2021-22941" ], "references": [ "http://checkip.dyndns.org/Gelir_idaresi_Baskanligi/gib.exe", "http://84.22.104.244/data.exe", "http://iphones5sg.name/data.exe", "http://comslibingmakk.asia/data.exe", "https://hybrid-analysis.com/sample/4681d0b707c72394d9951a96d1bbdd4749299437dd4d43e0c9e63fb7a84f9cd1/62bc6a0a3092241dc7209dd2", "Boom_Beach-soft32epic99.exe", "CVE-2021-22941" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 132, "URL": 145, "hostname": 11, "domain": 22, "CVE": 1, "FileHash-MD5": 68, "FileHash-SHA1": 23, "SSLCertFingerprint": 2 }, "indicator_count": 404, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://d.symcb.com/rpa0@", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://d.symcb.com/rpa0@", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780237284.8978984 }