{ "type": "URL", "indicator": "https://edge-microsoft-com.ax-0002.ax-msedge.net", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://edge-microsoft-com.ax-0002.ax-msedge.net", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4069869178, "indicator": "https://edge-microsoft-com.ax-0002.ax-msedge.net", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 27, "pulses": [ { "id": "6a0a062736db89f7c827b1d4", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:58.595000", "created": "2026-05-17T18:17:11.966000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 301, "FileHash-SHA1": 313, "FileHash-SHA256": 774, "URL": 667, "IPv4": 241, "domain": 205, "hostname": 612, "email": 5, "IPv6": 2, "CIDR": 1, "CVE": 23, "JA3": 1 }, "indicator_count": 3145, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0a06582d0722271a4599d7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:57.618000", "created": "2026-05-17T18:18:00.792000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0a065b8e1ccb825970a9e5", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:56.390000", "created": "2026-05-17T18:18:03.742000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0a065be823d8e9966e18ce", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:55.117000", "created": "2026-05-17T18:18:03.751000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0a065d1177dadd6522914f", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:54.028000", "created": "2026-05-17T18:18:05.783000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0a065ebc76096529b575c7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:52.618000", "created": "2026-05-17T18:18:06.287000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a13d458f27a51876d7949f5", "name": "NOW BOARDING: DARK-ZERO Sheep Tracker * CAPE Sandbox", "description": "Modern threat intelligence requires moving from passive observation to active intervention. In the context of targeted tracking implants, defending civil rights means engineering systems that protect user autonomy against unauthorized data extraction. Architectural Protections:\n0-Trust Telemetry: Designing operating systems where the user owns the cryptographic root of trust.\nHardware-Enforced Isolation: Utilizing Secure Enclaves to process cryptographic keys outside the reach of a compromised kernel.\nExploit Mitigation: Implementing advanced PAC+ Memory Tagging Extensions (MTE) to stop zero-day memory corruption bugs. The holiday serves as a reminder for SOCs to uphold high ethical standards, ensuring defensive tools are never repurposed for unauthorized surveillance. Respect to all.", "modified": "2026-05-27T17:19:19.635000", "created": "2026-05-25T04:47:20.503000", "tags": [ "win32 exe", "mozilla firefox", "zip adobe", "photoshop cc", "rar adobe", "air sdk", "adobe air", "lassa2", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "united", "performs dns", "grabber honest", "layer protocol", "attack network", "info processes", "extra info", "zenbox macos", "verdict", "guest system", "ascii text", "sigma", "creates", "t1055 process", "info dropped", "malicious", "p2404", "p11718783889", "p4de83ek69hqsh4", "p11718784848", "bazaar", "sha3384", "ssdeep", "checker", "themida", "guard", "property", "adobe device", "property name", "productname", "displayname", "destination", "root", "totalsize", "langpack", "swedish", "win32", "windows sandbox", "calls clear", "sha256", "sha1", "crc32", "size", "flash", "june", "drops pe", "crlf line", "sample", "persistence", "win64", "hook", "instructor", "kids goldadobe", "errstr", "cultureneutral", "license", "error", "code", "service", "vmprotect", "february", "back", "number", "mitre attack", "network info", "processes extra", "fri dec", "database", "initial access", "program", "overview", "overview zenbox", "ultimate file", "info file", "Nullworld", "value", "value lang", "buildinfo", "productinfo", "addremoveinfo", "displayversion", "screnshots", "United", "Swedishvpncarrierenrollment", "calls process", "writes", "png image", "rgba", "guloader", "fraud", "phishing", "install", "pdapp", "urihandler", "us tcp", "product install", "gamma", "updater", "Now boarding", "DarkZero", "Sheep Tracker" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2266, "IPv4": 326, "domain": 179, "hostname": 381, "FileHash-MD5": 811, "FileHash-SHA1": 835, "URL": 815, "email": 2 }, "indicator_count": 5615, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a13d450d1c0f6a31e71cef1", "name": "NOW BOARDING: DARK-ZERO Sheep Tracker * CAPE Sandbox", "description": "Modern threat intelligence requires moving from passive observation to active intervention. In the context of targeted tracking implants, defending civil rights means engineering systems that protect user autonomy against unauthorized data extraction. Architectural Protections:\n0-Trust Telemetry: Designing operating systems where the user owns the cryptographic root of trust.\nHardware-Enforced Isolation: Utilizing Secure Enclaves to process cryptographic keys outside the reach of a compromised kernel.\nExploit Mitigation: Implementing advanced PAC+ Memory Tagging Extensions (MTE) to stop zero-day memory corruption bugs. The holiday serves as a reminder for SOCs to uphold high ethical standards, ensuring defensive tools are never repurposed for unauthorized surveillance. Respect to all.", "modified": "2026-05-27T16:31:09.918000", "created": "2026-05-25T04:47:12.640000", "tags": [ "win32 exe", "mozilla firefox", "zip adobe", "photoshop cc", "rar adobe", "air sdk", "adobe air", "lassa2", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "united", "performs dns", "grabber honest", "layer protocol", "attack network", "info processes", "extra info", "zenbox macos", "verdict", "guest system", "ascii text", "sigma", "creates", "t1055 process", "info dropped", "malicious", "p2404", "p11718783889", "p4de83ek69hqsh4", "p11718784848", "bazaar", "sha3384", "ssdeep", "checker", "themida", "guard", "property", "adobe device", "property name", "productname", "displayname", "destination", "root", "totalsize", "langpack", "swedish", "win32", "windows sandbox", "calls clear", "sha256", "sha1", "crc32", "size", "flash", "june", "drops pe", "crlf line", "sample", "persistence", "win64", "hook", "instructor", "kids goldadobe", "errstr", "cultureneutral", "license", "error", "code", "service", "vmprotect", "february", "back", "number", "mitre attack", "network info", "processes extra", "fri dec", "database", "initial access", "program", "overview", "overview zenbox", "ultimate file", "info file", "Nullworld", "value", "value lang", "buildinfo", "productinfo", "addremoveinfo", "displayversion", "screnshots", "United", "Swedishvpncarrierenrollment", "calls process", "writes", "png image", "rgba", "guloader", "fraud", "phishing", "install", "pdapp", "urihandler", "us tcp", "product install", "gamma", "updater", "Now boarding", "DarkZero", "Sheep Tracker" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2266, "IPv4": 327, "domain": 178, "hostname": 372, "FileHash-MD5": 805, "FileHash-SHA1": 833, "URL": 812, "email": 2 }, "indicator_count": 5595, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a13d455f52a1c3acb3904b6", "name": "NOW BOARDING: DARK-ZERO Sheep Tracker * CAPE Sandbox", "description": "Modern threat intelligence requires moving from passive observation to active intervention. In the context of targeted tracking implants, defending civil rights means engineering systems that protect user autonomy against unauthorized data extraction. Architectural Protections:\n0-Trust Telemetry: Designing operating systems where the user owns the cryptographic root of trust.\nHardware-Enforced Isolation: Utilizing Secure Enclaves to process cryptographic keys outside the reach of a compromised kernel.\nExploit Mitigation: Implementing advanced PAC+ Memory Tagging Extensions (MTE) to stop zero-day memory corruption bugs. The holiday serves as a reminder for SOCs to uphold high ethical standards, ensuring defensive tools are never repurposed for unauthorized surveillance. Respect to all.", "modified": "2026-05-27T16:29:42.941000", "created": "2026-05-25T04:47:17.194000", "tags": [ "win32 exe", "mozilla firefox", "zip adobe", "photoshop cc", "rar adobe", "air sdk", "adobe air", "lassa2", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "united", "performs dns", "grabber honest", "layer protocol", "attack network", "info processes", "extra info", "zenbox macos", "verdict", "guest system", "ascii text", "sigma", "creates", "t1055 process", "info dropped", "malicious", "p2404", "p11718783889", "p4de83ek69hqsh4", "p11718784848", "bazaar", "sha3384", "ssdeep", "checker", "themida", "guard", "property", "adobe device", "property name", "productname", "displayname", "destination", "root", "totalsize", "langpack", "swedish", "win32", "windows sandbox", "calls clear", "sha256", "sha1", "crc32", "size", "flash", "june", "drops pe", "crlf line", "sample", "persistence", "win64", "hook", "instructor", "kids goldadobe", "errstr", "cultureneutral", "license", "error", "code", "service", "vmprotect", "february", "back", "number", "mitre attack", "network info", "processes extra", "fri dec", "database", "initial access", "program", "overview", "overview zenbox", "ultimate file", "info file", "Nullworld", "value", "value lang", "buildinfo", "productinfo", "addremoveinfo", "displayversion", "screnshots", "United", "Swedishvpncarrierenrollment", "calls process", "writes", "png image", "rgba", "guloader", "fraud", "phishing", "install", "pdapp", "urihandler", "us tcp", "product install", "gamma", "updater", "Now boarding", "DarkZero", "Sheep Tracker" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2266, "IPv4": 327, "domain": 178, "hostname": 382, "FileHash-MD5": 805, "FileHash-SHA1": 833, "URL": 816, "email": 2 }, "indicator_count": 5609, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a132a7a71682c83e9c17835", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-26T06:44:42.987000", "created": "2026-05-24T16:42:34.355000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1765, "URL": 1325, "hostname": 1489, "FileHash-MD5": 224, "FileHash-SHA1": 268, "IPv4": 152, "domain": 1177, "CIDR": 4, "email": 11, "IPv6": 1, "URI": 3, "CVE": 2, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6425, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a132a7a34bcc860b0e44ffc", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:34.350000", "created": "2026-05-24T16:42:34.350000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a132a7762cac9a1007d9ece", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:31.294000", "created": "2026-05-24T16:42:31.294000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a132a66fa217054f3e57883", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:14.218000", "created": "2026-05-24T16:42:14.218000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a132a577896901b2c0b993b", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:41:59.005000", "created": "2026-05-24T16:41:59.005000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a009e2d25595b3d89057042", "name": "CAPE Sandbox - Signals", "description": "[Marshfield Board and Committee Handbook 2025 is published by the Department of Public Safety and Environment (DPSA) and is subject to a review by its own staff and the UK government, as well as by government itself] pretext.", "modified": "2026-05-12T06:39:58.797000", "created": "2026-05-10T15:03:09.026000", "tags": [ "board", "non profit", "ta profile", "final", "html document", "unicode text", "utf8 text", "crlf", "lf line", "script", "welcome", "marshfield", "link", "arabic", "azerbaijani", "basque", "bengali", "meta", "object", "title", "body", "albanian", "cname", "nxdomain", "massachusetts", "privacy violation", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "serving ip", "address", "status code", "body length", "mb body", "oaauth helix", "helix", "signals", "beaconing", "frequencies", "trojanspy", "massdot", "network disruption", "abuse of encrypted channels", "network interference", "bruteforce", "anchor", "watering hole", "exposure of client data", "emfs", "efs", "signals attack", "cve's exploited", "improper channels", "health hazard", "spy", "network abuse", "havana" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424115&Signature=0KlAyyQQ9hQCJ2HfQ7xCJRM50TsPaZrEXCJe0%2F6yOGg8Oi5a91A0WK1%2BuHQxKNaYOtxinqlH%2BG96yg0ocsoEQVN80VjRx2Xem8DgMQpJD5eBvlPA%2BVGvR5eSs6WtnIfXxB1fzCYC3YRKGWq7c3iQ4WZydu0cWjCx71jj%2BLfWTcyMYhnRG9gu8o0MKuDHYOI1AAbUB3CVPpY8w99sMJQG9wi3zZdwIq5erBtrN7s3RMIq2mEYnfAo", "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424986&Signature=m2ZqXELB%2F5hHTf8Z0b7gZDAwk4KeSrteumozXgFefkQCAi7YY9KSmLvaAG3iDN5fhIFTz%2FZ6wgaNF%2FpdsGYHATlc7dDOIIDCql%2FQ4d9eYuROdgqGHd1WruLoJvWWq%2BcRgmtNFT7WZjbOr8wpJ%2Fa5%2BUPoEsokskMbWAPqf6lEimhl1uHNx8qZvxVCO8a95rMA%2Ft2xDI0BvJ2rivyfFpFxL0B9Lj2oQ3OvppjhJ6oqFKJJoDudPAxilp" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "URL": 508, "domain": 139, "hostname": 317, "FileHash-SHA256": 600, "FileHash-SHA1": 1, "IPv4": 72, "email": 2 }, "indicator_count": 1642, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a009e2c69cc5c3b5aa7185e", "name": "CAPE Sandbox - Signals", "description": "[Marshfield Board and Committee Handbook 2025 is published by the Department of Public Safety and Environment (DPSA) and is subject to a review by its own staff and the UK government, as well as by government itself] pretext.", "modified": "2026-05-12T06:39:58.327000", "created": "2026-05-10T15:03:08.205000", "tags": [ "board", "non profit", "ta profile", "final", "html document", "unicode text", "utf8 text", "crlf", "lf line", "script", "welcome", "marshfield", "link", "arabic", "azerbaijani", "basque", "bengali", "meta", "object", "title", "body", "albanian", "cname", "nxdomain", "massachusetts", "privacy violation", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "serving ip", "address", "status code", "body length", "mb body", "oaauth helix", "helix", "signals", "beaconing", "frequencies", "trojanspy", "massdot", "network disruption", "abuse of encrypted channels", "network interference", "bruteforce", "anchor", "watering hole", "exposure of client data", "emfs", "efs", "signals attack", "cve's exploited", "improper channels", "health hazard", "spy", "network abuse", "havana" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424115&Signature=0KlAyyQQ9hQCJ2HfQ7xCJRM50TsPaZrEXCJe0%2F6yOGg8Oi5a91A0WK1%2BuHQxKNaYOtxinqlH%2BG96yg0ocsoEQVN80VjRx2Xem8DgMQpJD5eBvlPA%2BVGvR5eSs6WtnIfXxB1fzCYC3YRKGWq7c3iQ4WZydu0cWjCx71jj%2BLfWTcyMYhnRG9gu8o0MKuDHYOI1AAbUB3CVPpY8w99sMJQG9wi3zZdwIq5erBtrN7s3RMIq2mEYnfAo", "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424986&Signature=m2ZqXELB%2F5hHTf8Z0b7gZDAwk4KeSrteumozXgFefkQCAi7YY9KSmLvaAG3iDN5fhIFTz%2FZ6wgaNF%2FpdsGYHATlc7dDOIIDCql%2FQ4d9eYuROdgqGHd1WruLoJvWWq%2BcRgmtNFT7WZjbOr8wpJ%2Fa5%2BUPoEsokskMbWAPqf6lEimhl1uHNx8qZvxVCO8a95rMA%2Ft2xDI0BvJ2rivyfFpFxL0B9Lj2oQ3OvppjhJ6oqFKJJoDudPAxilp" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "URL": 512, "domain": 141, "hostname": 323, "FileHash-SHA256": 600, "FileHash-SHA1": 1, "IPv4": 72, "email": 2 }, "indicator_count": 1654, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fed99080ca19fd27b184cb", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-10T08:20:56.907000", "created": "2026-05-09T06:52:00.985000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 529, "IPv4": 403, "hostname": 394, "domain": 121, "URL": 262, "FileHash-SHA1": 291, "FileHash-SHA256": 396 }, "indicator_count": 2396, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fed98ed79b13165d78dc30", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-10T08:11:16.996000", "created": "2026-05-09T06:51:58.884000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 547, "IPv4": 545, "hostname": 752, "domain": 290, "URL": 979, "FileHash-SHA1": 296, "FileHash-SHA256": 904, "CIDR": 2, "email": 2 }, "indicator_count": 4317, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fed98a5807c9756ff0eb87", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-09T12:26:36.816000", "created": "2026-05-09T06:51:54.319000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 521, "IPv4": 402, "hostname": 393, "domain": 120, "URL": 261, "FileHash-SHA1": 287, "FileHash-SHA256": 391 }, "indicator_count": 2375, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6b2fa376059b4216e8f", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T10:45:57.198000", "created": "2026-05-09T04:23:14.660000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1375, "hostname": 1101, "URL": 1336, "domain": 507, "email": 89, "FileHash-MD5": 1306, "FileHash-SHA1": 406, "IPv4": 268, "IPv6": 6, "CIDR": 35 }, "indicator_count": 6429, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6bf7d974ee6628d0cfb", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T09:49:34.167000", "created": "2026-05-09T04:23:27.294000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 521, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1429, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6bf4862bcb87d24490f", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T09:49:33.235000", "created": "2026-05-09T04:23:27.455000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 521, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1429, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6bf88886c13b84136a0", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T09:49:32.377000", "created": "2026-05-09T04:23:27.808000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 521, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1429, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fed9859e3d403a869a56d9", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-09T07:20:23.936000", "created": "2026-05-09T06:51:49.607000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 522, "IPv4": 409, "hostname": 645, "domain": 178, "URL": 786, "FileHash-SHA1": 288, "FileHash-SHA256": 392, "CVE": 1 }, "indicator_count": 3221, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6b404e1f849c9993cf5", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T04:27:37.388000", "created": "2026-05-09T04:23:16.462000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 520, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1428, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6bc6072aa1a00dc8b74", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T04:27:35.492000", "created": "2026-05-09T04:23:24.510000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 520, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1428, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68265ca628eac46f2784fa92", "name": "GAMEPROFITS 2024-2025 GOP HACK ATTACK SPYING ESPONIAGE HARRASMENT IP THEFT Tsara Brashears attackers REAL IDENTITIES", "description": "The latest campaign to harass and prevent the launch of ichoronium.com and gameprofits.io.", "modified": "2025-06-22T00:03:14.783000", "created": "2025-05-15T21:29:10.934000", "tags": [ "levelblue", "open threat" ], "references": [ "https://otx.alienvault.com/indicator/domain/stcigroup.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "gameprofits.io", "id": "170823", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_170823/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 83, "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 103, "hostname": 122, "URL": 138 }, "indicator_count": 456, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "343 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424115&Signature=0KlAyyQQ9hQCJ2HfQ7xCJRM50TsPaZrEXCJe0%2F6yOGg8Oi5a91A0WK1%2BuHQxKNaYOtxinqlH%2BG96yg0ocsoEQVN80VjRx2Xem8DgMQpJD5eBvlPA%2BVGvR5eSs6WtnIfXxB1fzCYC3YRKGWq7c3iQ4WZydu0cWjCx71jj%2BLfWTcyMYhnRG9gu8o0MKuDHYOI1AAbUB3CVPpY8w99sMJQG9wi3zZdwIq5erBtrN7s3RMIq2mEYnfAo", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://otx.alienvault.com/indicator/domain/stcigroup.com", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424986&Signature=m2ZqXELB%2F5hHTf8Z0b7gZDAwk4KeSrteumozXgFefkQCAi7YY9KSmLvaAG3iDN5fhIFTz%2FZ6wgaNF%2FpdsGYHATlc7dDOIIDCql%2FQ4d9eYuROdgqGHd1WruLoJvWWq%2BcRgmtNFT7WZjbOr8wpJ%2Fa5%2BUPoEsokskMbWAPqf6lEimhl1uHNx8qZvxVCO8a95rMA%2Ft2xDI0BvJ2rivyfFpFxL0B9Lj2oQ3OvppjhJ6oqFKJJoDudPAxilp" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Norwell" ], "industries": [], "unique_indicators": 20910 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/ax-msedge.net", "whois": "http://whois.domaintools.com/ax-msedge.net", "domain": "ax-msedge.net", "hostname": "edge-microsoft-com.ax-0002.ax-msedge.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 27, "pulses": [ { "id": "6a0a062736db89f7c827b1d4", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:58.595000", "created": "2026-05-17T18:17:11.966000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 301, "FileHash-SHA1": 313, "FileHash-SHA256": 774, "URL": 667, "IPv4": 241, "domain": 205, "hostname": 612, "email": 5, "IPv6": 2, "CIDR": 1, "CVE": 23, "JA3": 1 }, "indicator_count": 3145, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0a06582d0722271a4599d7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:57.618000", "created": "2026-05-17T18:18:00.792000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0a065b8e1ccb825970a9e5", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:56.390000", "created": "2026-05-17T18:18:03.742000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0a065be823d8e9966e18ce", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:55.117000", "created": "2026-05-17T18:18:03.751000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0a065d1177dadd6522914f", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:54.028000", "created": "2026-05-17T18:18:05.783000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0a065ebc76096529b575c7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:52.618000", "created": "2026-05-17T18:18:06.287000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a13d458f27a51876d7949f5", "name": "NOW BOARDING: DARK-ZERO Sheep Tracker * CAPE Sandbox", "description": "Modern threat intelligence requires moving from passive observation to active intervention. In the context of targeted tracking implants, defending civil rights means engineering systems that protect user autonomy against unauthorized data extraction. Architectural Protections:\n0-Trust Telemetry: Designing operating systems where the user owns the cryptographic root of trust.\nHardware-Enforced Isolation: Utilizing Secure Enclaves to process cryptographic keys outside the reach of a compromised kernel.\nExploit Mitigation: Implementing advanced PAC+ Memory Tagging Extensions (MTE) to stop zero-day memory corruption bugs. The holiday serves as a reminder for SOCs to uphold high ethical standards, ensuring defensive tools are never repurposed for unauthorized surveillance. Respect to all.", "modified": "2026-05-27T17:19:19.635000", "created": "2026-05-25T04:47:20.503000", "tags": [ "win32 exe", "mozilla firefox", "zip adobe", "photoshop cc", "rar adobe", "air sdk", "adobe air", "lassa2", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "united", "performs dns", "grabber honest", "layer protocol", "attack network", "info processes", "extra info", "zenbox macos", "verdict", "guest system", "ascii text", "sigma", "creates", "t1055 process", "info dropped", "malicious", "p2404", "p11718783889", "p4de83ek69hqsh4", "p11718784848", "bazaar", "sha3384", "ssdeep", "checker", "themida", "guard", "property", "adobe device", "property name", "productname", "displayname", "destination", "root", "totalsize", "langpack", "swedish", "win32", "windows sandbox", "calls clear", "sha256", "sha1", "crc32", "size", "flash", "june", "drops pe", "crlf line", "sample", "persistence", "win64", "hook", "instructor", "kids goldadobe", "errstr", "cultureneutral", "license", "error", "code", "service", "vmprotect", "february", "back", "number", "mitre attack", "network info", "processes extra", "fri dec", "database", "initial access", "program", "overview", "overview zenbox", "ultimate file", "info file", "Nullworld", "value", "value lang", "buildinfo", "productinfo", "addremoveinfo", "displayversion", "screnshots", "United", "Swedishvpncarrierenrollment", "calls process", "writes", "png image", "rgba", "guloader", "fraud", "phishing", "install", "pdapp", "urihandler", "us tcp", "product install", "gamma", "updater", "Now boarding", "DarkZero", "Sheep Tracker" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2266, "IPv4": 326, "domain": 179, "hostname": 381, "FileHash-MD5": 811, "FileHash-SHA1": 835, "URL": 815, "email": 2 }, "indicator_count": 5615, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a13d450d1c0f6a31e71cef1", "name": "NOW BOARDING: DARK-ZERO Sheep Tracker * CAPE Sandbox", "description": "Modern threat intelligence requires moving from passive observation to active intervention. In the context of targeted tracking implants, defending civil rights means engineering systems that protect user autonomy against unauthorized data extraction. Architectural Protections:\n0-Trust Telemetry: Designing operating systems where the user owns the cryptographic root of trust.\nHardware-Enforced Isolation: Utilizing Secure Enclaves to process cryptographic keys outside the reach of a compromised kernel.\nExploit Mitigation: Implementing advanced PAC+ Memory Tagging Extensions (MTE) to stop zero-day memory corruption bugs. The holiday serves as a reminder for SOCs to uphold high ethical standards, ensuring defensive tools are never repurposed for unauthorized surveillance. Respect to all.", "modified": "2026-05-27T16:31:09.918000", "created": "2026-05-25T04:47:12.640000", "tags": [ "win32 exe", "mozilla firefox", "zip adobe", "photoshop cc", "rar adobe", "air sdk", "adobe air", "lassa2", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "united", "performs dns", "grabber honest", "layer protocol", "attack network", "info processes", "extra info", "zenbox macos", "verdict", "guest system", "ascii text", "sigma", "creates", "t1055 process", "info dropped", "malicious", "p2404", "p11718783889", "p4de83ek69hqsh4", "p11718784848", "bazaar", "sha3384", "ssdeep", "checker", "themida", "guard", "property", "adobe device", "property name", "productname", "displayname", "destination", "root", "totalsize", "langpack", "swedish", "win32", "windows sandbox", "calls clear", "sha256", "sha1", "crc32", "size", "flash", "june", "drops pe", "crlf line", "sample", "persistence", "win64", "hook", "instructor", "kids goldadobe", "errstr", "cultureneutral", "license", "error", "code", "service", "vmprotect", "february", "back", "number", "mitre attack", "network info", "processes extra", "fri dec", "database", "initial access", "program", "overview", "overview zenbox", "ultimate file", "info file", "Nullworld", "value", "value lang", "buildinfo", "productinfo", "addremoveinfo", "displayversion", "screnshots", "United", "Swedishvpncarrierenrollment", "calls process", "writes", "png image", "rgba", "guloader", "fraud", "phishing", "install", "pdapp", "urihandler", "us tcp", "product install", "gamma", "updater", "Now boarding", "DarkZero", "Sheep Tracker" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2266, "IPv4": 327, "domain": 178, "hostname": 372, "FileHash-MD5": 805, "FileHash-SHA1": 833, "URL": 812, "email": 2 }, "indicator_count": 5595, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a13d455f52a1c3acb3904b6", "name": "NOW BOARDING: DARK-ZERO Sheep Tracker * CAPE Sandbox", "description": "Modern threat intelligence requires moving from passive observation to active intervention. In the context of targeted tracking implants, defending civil rights means engineering systems that protect user autonomy against unauthorized data extraction. Architectural Protections:\n0-Trust Telemetry: Designing operating systems where the user owns the cryptographic root of trust.\nHardware-Enforced Isolation: Utilizing Secure Enclaves to process cryptographic keys outside the reach of a compromised kernel.\nExploit Mitigation: Implementing advanced PAC+ Memory Tagging Extensions (MTE) to stop zero-day memory corruption bugs. The holiday serves as a reminder for SOCs to uphold high ethical standards, ensuring defensive tools are never repurposed for unauthorized surveillance. Respect to all.", "modified": "2026-05-27T16:29:42.941000", "created": "2026-05-25T04:47:17.194000", "tags": [ "win32 exe", "mozilla firefox", "zip adobe", "photoshop cc", "rar adobe", "air sdk", "adobe air", "lassa2", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "united", "performs dns", "grabber honest", "layer protocol", "attack network", "info processes", "extra info", "zenbox macos", "verdict", "guest system", "ascii text", "sigma", "creates", "t1055 process", "info dropped", "malicious", "p2404", "p11718783889", "p4de83ek69hqsh4", "p11718784848", "bazaar", "sha3384", "ssdeep", "checker", "themida", "guard", "property", "adobe device", "property name", "productname", "displayname", "destination", "root", "totalsize", "langpack", "swedish", "win32", "windows sandbox", "calls clear", "sha256", "sha1", "crc32", "size", "flash", "june", "drops pe", "crlf line", "sample", "persistence", "win64", "hook", "instructor", "kids goldadobe", "errstr", "cultureneutral", "license", "error", "code", "service", "vmprotect", "february", "back", "number", "mitre attack", "network info", "processes extra", "fri dec", "database", "initial access", "program", "overview", "overview zenbox", "ultimate file", "info file", "Nullworld", "value", "value lang", "buildinfo", "productinfo", "addremoveinfo", "displayversion", "screnshots", "United", "Swedishvpncarrierenrollment", "calls process", "writes", "png image", "rgba", "guloader", "fraud", "phishing", "install", "pdapp", "urihandler", "us tcp", "product install", "gamma", "updater", "Now boarding", "DarkZero", "Sheep Tracker" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2266, "IPv4": 327, "domain": 178, "hostname": 382, "FileHash-MD5": 805, "FileHash-SHA1": 833, "URL": 816, "email": 2 }, "indicator_count": 5609, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a132a7a71682c83e9c17835", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-26T06:44:42.987000", "created": "2026-05-24T16:42:34.355000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1765, "URL": 1325, "hostname": 1489, "FileHash-MD5": 224, "FileHash-SHA1": 268, "IPv4": 152, "domain": 1177, "CIDR": 4, "email": 11, "IPv6": 1, "URI": 3, "CVE": 2, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6425, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://edge-microsoft-com.ax-0002.ax-msedge.net", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://edge-microsoft-com.ax-0002.ax-msedge.net", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780262709.119704 }