{ "type": "URL", "indicator": "https://image.email3.altisource.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://image.email3.altisource.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4339102009, "indicator": "https://image.email3.altisource.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 31, "pulses": [ { "id": "6a0fec7257bc32c037c9be08", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T06:18:07.234000", "created": "2026-05-22T05:41:06.053000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 638, "FileHash-SHA1": 366, "FileHash-SHA256": 1441, "IPv4": 377, "URL": 1697, "domain": 404, "hostname": 873, "CIDR": 1, "Mutex": 1, "IPv6": 19, "email": 9 }, "indicator_count": 5826, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0fec7156a2d7cd795090ba", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:41:05.023000", "created": "2026-05-22T05:41:05.023000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0fec697a7cef13f5cf8fdf", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:57.737000", "created": "2026-05-22T05:40:57.737000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0fec65b9ecad6466cf0144", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:53.032000", "created": "2026-05-22T05:40:53.032000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0fec5d56a2d7cd795090b9", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:45.104000", "created": "2026-05-22T05:40:45.104000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01d3836a1a757aded89ba4", "name": "The 777 Quartz Loop: Structural Polyglot Forgery & Global Wiper Convergence", "description": "Malicious C2 is hidden in plain sight. Using webcontent.com (Reg. 1998), the factory mimics legitimate com.apple.WebKit.WebContent traffic. This is the permanent \"static\" that makes the Wiper indistinguishable from OS noise.C2 Anchors: ://webcontent.com, ://webcontent.comIP Nodes: 35.208.49.255, 18.208.88.157, 98.84.224.111, 3.33.251.168The \"Rose Quartz\" Structural MixA \"Frankensign\" universal bypass. It \"United\" three OS trust boundaries into a single loop:DigiCert (Windows): Forged overlay using the broken MD5 a1d6...6e72.Apple ARM (macOS): 64c/d or B0 thumbprints pivoting through WebKit/QuartzCore.Google (Drop): Execution via a Google 202 shell (GoogleUpdate.exe).The 777 AnchorThe 777 entropy pattern is the mathematical anchor forcing this messy alignment. It cannot be \"fixed\" by revocation because it is already cached in the internet's trust model.", "modified": "2026-05-12T08:41:44.805000", "created": "2026-05-11T13:02:59.167000", "tags": [ "status", "creation date", "date", "pulse indicator", "url analysis", "passive dns", "urls", "files", "whois registrar", "related tags", "server", "domain status", "whois lookup", "dnssec", "domain name", "abuse contact", "email", "registrar abuse", "github", "google", "webcontent", "issue", "discussion", "safari vs", "cyberkit", "webkit port", "apple community", "clearing", "graph summary", "The Russian Doll Tactic", "pdfkit[.]net", "mathematical stalemate", "CLAMAV", "MD5/nested cert chains within" ], "references": [ "Rec: block for *.webcontent.com and binaries matching the B0/64c/d anchors or the 777 hex-cluster.", "Pending Review.", "The 7 YARA detections identified in your analysis typically trigger on the 777-anchor hex-cluster found within the high-entropy overlay. This binary \"United\" the following trust boundaries:DigiCert (Windows): Forged overlay utilizing the broken MD5 a1d6...6e72", "Do Not Run", "The Structural Loop: The .NET framework often relies on legacy certificate validation libraries that still accept the MD5 a1d6...6e72 chain as \"legacy-valid.\" When this document is opened on an Apple Silicon device, the WebKit/ARM64 engine inherits the \"Trusted\" status from the document\u2019s container, allowing the 64c/d anchor to execute a memory-injection without a fresh signature check.", "Edge Node Impact: This \"sloppy\" intersection is what allows the payload to burn through edge security; the gateway sees a valid .NET structure and a valid WebKit process, failing to recognize the 777-anchor forgery that unites them.", "Binary Profile: The 38MB \"Big One\" ShellCompilation: August 8, 2018 [Static Layer Foundation]Packing: UPX v0.89.6 - v1.24 (Markus & Laszlo)Signatures: SHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0Structural Forgery: The 38,351 KB footprint is intentionally bloated with an unmapped overlay to masquerade as a legitimate system utility. This specific variation exploits the RichHash 99b5586e... to bypass heuristic whitelists.", "Research Suggests:", "The Convergence: Threat actors are exploiting a critical logic gap where .NET/PDFKit document signing (Windows-side) intersects with WebKit/QuartzCore rendering (macOS/ARM-side). By nesting a broken MD5 overlay within a document designed to be parsed by WebKit, the attacker creates a cross-platform \"trust bridge.\"", "This binary is a foundation-level threat designed to embed itself into the internet's cached trust model as \"static noise.\" It bridges the gap between the .NET/PDFKit and WebKit/QuartzCore environments through a triple-chain polyglot signature.", "Technical Indicators & Forgery MixSHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0MD5: a95e0f8611e4169be89ef384c8a7a71aCompilation: 2018-08-08 (The \"Static Layer\" 2020 foundation).The 777 Anchor: The 777 entropy pattern in the unmapped overlay (Size: 38,351 KB) forces the \"messy\" alignment between DigiCert, Apple ARM (64c/d), and Google 202 identities.Structural Bypass: Exploits the broken/abused MD5 a1d6...6e72 chain as a \"Frank Abagnale\" signature overlay to bypass Zero-Trust EDR.", "The Spy Loop: Beacons to the squatted infrastructure (*.webcontent.com) and associated IP nodes (35.208.49.255, 18.208.88.157).", "The Wiper: Contains the high-confidence destructive module capable of a FACTORY_RESET anti-forensic purge.", "The Russian Doll Tactic: The top-level 38MB SHA is just the Delivery Shell. Inside that, the malware carries encrypted blobs that have their own unique SHA-256 signatures. These are the actual Wiper, SpyNote, and C2 configuration modules.", "Attackers nest these SHAs so that if a vendor blocks the \"Big One\" (the 38MB shell), the internal payloads can be re-packed into a new shell with a new top-level hash in minutes." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 707, "URL": 1888, "email": 14, "hostname": 1443, "FileHash-SHA256": 1662, "IPv4": 198, "FileHash-MD5": 295, "FileHash-SHA1": 283, "Mutex": 1, "IPv6": 10, "CIDR": 1, "CVE": 2 }, "indicator_count": 6504, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a009e2d25595b3d89057042", "name": "CAPE Sandbox - Signals", "description": "[Marshfield Board and Committee Handbook 2025 is published by the Department of Public Safety and Environment (DPSA) and is subject to a review by its own staff and the UK government, as well as by government itself] pretext.", "modified": "2026-05-12T06:39:58.797000", "created": "2026-05-10T15:03:09.026000", "tags": [ "board", "non profit", "ta profile", "final", "html document", "unicode text", "utf8 text", "crlf", "lf line", "script", "welcome", "marshfield", "link", "arabic", "azerbaijani", "basque", "bengali", "meta", "object", "title", "body", "albanian", "cname", "nxdomain", "massachusetts", "privacy violation", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "serving ip", "address", "status code", "body length", "mb body", "oaauth helix", "helix", "signals", "beaconing", "frequencies", "trojanspy", "massdot", "network disruption", "abuse of encrypted channels", "network interference", "bruteforce", "anchor", "watering hole", "exposure of client data", "emfs", "efs", "signals attack", "cve's exploited", "improper channels", "health hazard", "spy", "network abuse", "havana" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424115&Signature=0KlAyyQQ9hQCJ2HfQ7xCJRM50TsPaZrEXCJe0%2F6yOGg8Oi5a91A0WK1%2BuHQxKNaYOtxinqlH%2BG96yg0ocsoEQVN80VjRx2Xem8DgMQpJD5eBvlPA%2BVGvR5eSs6WtnIfXxB1fzCYC3YRKGWq7c3iQ4WZydu0cWjCx71jj%2BLfWTcyMYhnRG9gu8o0MKuDHYOI1AAbUB3CVPpY8w99sMJQG9wi3zZdwIq5erBtrN7s3RMIq2mEYnfAo", "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424986&Signature=m2ZqXELB%2F5hHTf8Z0b7gZDAwk4KeSrteumozXgFefkQCAi7YY9KSmLvaAG3iDN5fhIFTz%2FZ6wgaNF%2FpdsGYHATlc7dDOIIDCql%2FQ4d9eYuROdgqGHd1WruLoJvWWq%2BcRgmtNFT7WZjbOr8wpJ%2Fa5%2BUPoEsokskMbWAPqf6lEimhl1uHNx8qZvxVCO8a95rMA%2Ft2xDI0BvJ2rivyfFpFxL0B9Lj2oQ3OvppjhJ6oqFKJJoDudPAxilp" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "URL": 508, "domain": 139, "hostname": 317, "FileHash-SHA256": 600, "FileHash-SHA1": 1, "IPv4": 72, "email": 2 }, "indicator_count": 1642, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a009e2c69cc5c3b5aa7185e", "name": "CAPE Sandbox - Signals", "description": "[Marshfield Board and Committee Handbook 2025 is published by the Department of Public Safety and Environment (DPSA) and is subject to a review by its own staff and the UK government, as well as by government itself] pretext.", "modified": "2026-05-12T06:39:58.327000", "created": "2026-05-10T15:03:08.205000", "tags": [ "board", "non profit", "ta profile", "final", "html document", "unicode text", "utf8 text", "crlf", "lf line", "script", "welcome", "marshfield", "link", "arabic", "azerbaijani", "basque", "bengali", "meta", "object", "title", "body", "albanian", "cname", "nxdomain", "massachusetts", "privacy violation", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "serving ip", "address", "status code", "body length", "mb body", "oaauth helix", "helix", "signals", "beaconing", "frequencies", "trojanspy", "massdot", "network disruption", "abuse of encrypted channels", "network interference", "bruteforce", "anchor", "watering hole", "exposure of client data", "emfs", "efs", "signals attack", "cve's exploited", "improper channels", "health hazard", "spy", "network abuse", "havana" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424115&Signature=0KlAyyQQ9hQCJ2HfQ7xCJRM50TsPaZrEXCJe0%2F6yOGg8Oi5a91A0WK1%2BuHQxKNaYOtxinqlH%2BG96yg0ocsoEQVN80VjRx2Xem8DgMQpJD5eBvlPA%2BVGvR5eSs6WtnIfXxB1fzCYC3YRKGWq7c3iQ4WZydu0cWjCx71jj%2BLfWTcyMYhnRG9gu8o0MKuDHYOI1AAbUB3CVPpY8w99sMJQG9wi3zZdwIq5erBtrN7s3RMIq2mEYnfAo", "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424986&Signature=m2ZqXELB%2F5hHTf8Z0b7gZDAwk4KeSrteumozXgFefkQCAi7YY9KSmLvaAG3iDN5fhIFTz%2FZ6wgaNF%2FpdsGYHATlc7dDOIIDCql%2FQ4d9eYuROdgqGHd1WruLoJvWWq%2BcRgmtNFT7WZjbOr8wpJ%2Fa5%2BUPoEsokskMbWAPqf6lEimhl1uHNx8qZvxVCO8a95rMA%2Ft2xDI0BvJ2rivyfFpFxL0B9Lj2oQ3OvppjhJ6oqFKJJoDudPAxilp" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "URL": 512, "domain": 141, "hostname": 323, "FileHash-SHA256": 600, "FileHash-SHA1": 1, "IPv4": 72, "email": 2 }, "indicator_count": 1654, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01b8f1d2994909edd6dcec", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:56.546000", "created": "2026-05-11T11:09:37.208000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 234, "FileHash-SHA1": 208, "FileHash-SHA256": 975, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7, "CVE": 10 }, "indicator_count": 2604, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01b8f37796bdd1adce15a4", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:53.636000", "created": "2026-05-11T11:09:39.214000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity.", "Overlay chi2 40295.73 filetype unknown entropy 7.45587682723999 offset 151552 size 19928 md5 e4a9a363a8d765b06805811b1fdff040", "Expired Credential Hijacking:Primary Path: Clones DigiCert G4 chain (Serial: 0E44...5CE5) which expired July 10, 2024.Legacy Path: Clones DigiCert Assured ID chain (Serial: 06AE...F033) which expired November 16, 2022.", "Execution Logic: Designed for Process Hollowing via the .reloc and .text sections, turning a \"trusted\" Google shell into a Wiper/SpyNote host. Hollow Roots.", "Architectural Deception: Built using VS2019 (v16.0.0) to mimic official development environments, yet contains a high-entropy (7.45) unmapped overlay at offset 151552.", "Security researchers should not whitelist based on metadata alone. This binary is a prime example of Brand Impersonation for destructive espionage." ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Iran, Islamic Republic of", "United Kingdom of Great Britain and Northern Ireland", "Korea, Democratic People's Republic of", "Brazil", "Canada", "United States of America" ], "malware_families": [ { "id": "Hybrid Trojan Spy and Banker", "display_name": "Hybrid Trojan Spy and Banker", "target": null }, { "id": "SpyNote", "display_name": "SpyNote", "target": null }, { "id": "SpyMax", "display_name": "SpyMax", "target": null }, { "id": "Cypher", "display_name": "Cypher", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Legal", "Government", "Education", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 243, "FileHash-SHA1": 213, "FileHash-SHA256": 983, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7 }, "indicator_count": 2616, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6b2fa376059b4216e8f", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T10:45:57.198000", "created": "2026-05-09T04:23:14.660000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1375, "hostname": 1101, "URL": 1336, "domain": 507, "email": 89, "FileHash-MD5": 1306, "FileHash-SHA1": 406, "IPv4": 268, "IPv6": 6, "CIDR": 35 }, "indicator_count": 6429, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6bf7d974ee6628d0cfb", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T09:49:34.167000", "created": "2026-05-09T04:23:27.294000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 521, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1429, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6bf4862bcb87d24490f", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T09:49:33.235000", "created": "2026-05-09T04:23:27.455000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 521, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1429, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6bf88886c13b84136a0", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T09:49:32.377000", "created": "2026-05-09T04:23:27.808000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 521, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1429, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6b404e1f849c9993cf5", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T04:27:37.388000", "created": "2026-05-09T04:23:16.462000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 520, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1428, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69feb6bc6072aa1a00dc8b74", "name": "Habo Analysis System - Unsigned- Critical Rest&Discover Certificate Chain Update", "description": "ba5e45e22cce048299a18027bc808faa4e907cfd0346f39f3bea2586c1e2954a- file is not signed- 2011-09-26 17:36:15 UTC- rest using link querys + d1c00920f5f34b770f530d28d087510191202d562c26802f4774ec14f88807e2 file is not signed 2011-09-26 17:34:29 UTC Rest Discover Spreadsheet Contents", "modified": "2026-05-09T04:27:35.492000", "created": "2026-05-09T04:23:24.510000", "tags": [ "server", "date", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "registrant city", "us registrant", "email", "code", "contact", "pe32", "intel", "ms windows", "generic cil", "executable", "mono", "win32 dynamic", "link library", "delphi generic", "pe32 library", "icons library", "blob", "strings", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 464, "hostname": 304, "URL": 520, "domain": 72, "email": 3, "FileHash-MD5": 23, "FileHash-SHA1": 12, "IPv4": 30 }, "indicator_count": 1428, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd77791314336d2ce3b694", "name": "CAPE Sandbox - Async Rat dating Sept 8, 2024", "description": "RAT, 2024. > Ttb chain shows the link to 2018-2019 domain control from Iran Root, Us hosted backdoor.", "modified": "2026-05-08T05:53:30.965000", "created": "2026-05-08T05:41:13.128000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "FileHash-MD5": 107, "FileHash-SHA1": 116, "FileHash-SHA256": 393, "URL": 204, "domain": 155, "hostname": 220, "CVE": 1 }, "indicator_count": 1262, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd777910676e8bf0b845ee", "name": "CAPE Sandbox - Async Rat dating Sept 8, 2024", "description": "RAT, 2024. > Ttb chain shows the link to 2018-2019 domain control from Iran Root, Us hosted backdoor.", "modified": "2026-05-08T05:53:29.869000", "created": "2026-05-08T05:41:13.718000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "FileHash-MD5": 107, "FileHash-SHA1": 116, "FileHash-SHA256": 393, "URL": 205, "domain": 155, "hostname": 220, "CVE": 1 }, "indicator_count": 1263, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd777a9e7f4113aeb6b47c", "name": "CAPE Sandbox - Async Rat dating Sept 8, 2024", "description": "RAT, 2024. > Ttb chain shows the link to 2018-2019 domain control from Iran Root, Us hosted backdoor.", "modified": "2026-05-08T05:53:29.152000", "created": "2026-05-08T05:41:14.795000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "FileHash-MD5": 107, "FileHash-SHA1": 116, "FileHash-SHA256": 393, "URL": 205, "domain": 155, "hostname": 220, "CVE": 1 }, "indicator_count": 1263, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd777b0f4e9133dee0511f", "name": "CAPE Sandbox - Async Rat dating Sept 8, 2024", "description": "RAT, 2024. > Ttb chain shows the link to 2018-2019 domain control from Iran Root, Us hosted backdoor.", "modified": "2026-05-08T05:53:28.276000", "created": "2026-05-08T05:41:15.674000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "FileHash-MD5": 107, "FileHash-SHA1": 116, "FileHash-SHA256": 393, "URL": 205, "domain": 155, "hostname": 220, "CVE": 1 }, "indicator_count": 1263, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fb3d6585753bfdc08890a4", "name": "vxCube \u2014 Report + other sandboxes- Firmware Nuetral", "description": "[sample of malicious software from the Firefox operating system has been analysed by Microsoft's security team, the Office of the President, and the Microsoft Research Research Centre (MSR) in the US.]", "modified": "2026-05-06T13:54:34.222000", "created": "2026-05-06T13:08:53.749000", "tags": [ "port", "protocol level", "application", "next connection", "previous", "address", "full path", "behavior", "programfiles", "system32", "dump", "malicious", "path", "nethandle", "net108", "net1080000", "mcics", "orgid", "mcics address", "loudoun county", "pkwy city", "postalcode", "orgtechhandle", "services", "city", "stateprov", "rabuseref", "rabusehandle", "brockdorff", "c source", "utf8 unicode", "c program", "crlf", "lf line", "united", "https", "mitre attack", "network info", "processes extra", "tls version", "overview", "overview os", "x sandbox", "verdict", "next", "parent pid", "command line", "default", "nothing", "registry keys", "openasrundll c", "shell folders", "file execution", "k netsvcs", "ascii text", "categories", "settings", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "inprocserver32", "file type", "accept", "shutdown", "stream", "template", "cname", "value a", "first counter", "bearer", "mbisslshort", "bridge", "info", "date", "agent", "root", "mutexes nothing", "files c", "read files", "read registry", "keys nothing", "ipmgmt", "orgtechref", "orgabusehandle", "orgabuseref", "win1", "acrongl integ", "adc4240758", "heuristic match", "pattern match", "x2dax2da", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "angsana new", "back", "style", "cohasset police", "department", "doctype html", "head", "link", "cohasset", "title", "noscript", "meta", "performs dns", "urls", "downloads", "found", "http", "phishing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 204, "IPv4": 246, "URL": 662, "hostname": 421, "FileHash-SHA256": 532, "domain": 137, "FileHash-MD5": 473, "CIDR": 4, "email": 7, "CVE": 1 }, "indicator_count": 2687, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fb3d632800402652054b73", "name": "vxCube \u2014 Report + other sandboxes- Firmware Nuetral", "description": "[sample of malicious software from the Firefox operating system has been analysed by Microsoft's security team, the Office of the President, and the Microsoft Research Research Centre (MSR) in the US.]", "modified": "2026-05-06T13:08:51.417000", "created": "2026-05-06T13:08:51.417000", "tags": [ "port", "protocol level", "application", "next connection", "previous", "address", "full path", "behavior", "programfiles", "system32", "dump", "malicious", "path", "nethandle", "net108", "net1080000", "mcics", "orgid", "mcics address", "loudoun county", "pkwy city", "postalcode", "orgtechhandle", "services", "city", "stateprov", "rabuseref", "rabusehandle", "brockdorff", "c source", "utf8 unicode", "c program", "crlf", "lf line", "united", "https", "mitre attack", "network info", "processes extra", "tls version", "overview", "overview os", "x sandbox", "verdict", "next", "parent pid", "command line", "default", "nothing", "registry keys", "openasrundll c", "shell folders", "file execution", "k netsvcs", "ascii text", "categories", "settings", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "inprocserver32", "file type", "accept", "shutdown", "stream", "template", "cname", "value a", "first counter", "bearer", "mbisslshort", "bridge", "info", "date", "agent", "root", "mutexes nothing", "files c", "read files", "read registry", "keys nothing", "ipmgmt", "orgtechref", "orgabusehandle", "orgabuseref", "win1", "acrongl integ", "adc4240758", "heuristic match", "pattern match", "x2dax2da", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "angsana new", "back", "style", "cohasset police", "department", "doctype html", "head", "link", "cohasset", "title", "noscript", "meta", "performs dns", "urls", "downloads", "found", "http", "phishing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 204, "IPv4": 246, "URL": 661, "hostname": 421, "FileHash-SHA256": 532, "domain": 137, "FileHash-MD5": 473, "CIDR": 4, "email": 7 }, "indicator_count": 2685, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fb3d628de55fd4fef0e2bc", "name": "vxCube \u2014 Report + other sandboxes- Firmware Nuetral", "description": "[sample of malicious software from the Firefox operating system has been analysed by Microsoft's security team, the Office of the President, and the Microsoft Research Research Centre (MSR) in the US.]", "modified": "2026-05-06T13:08:50.546000", "created": "2026-05-06T13:08:50.546000", "tags": [ "port", "protocol level", "application", "next connection", "previous", "address", "full path", "behavior", "programfiles", "system32", "dump", "malicious", "path", "nethandle", "net108", "net1080000", "mcics", "orgid", "mcics address", "loudoun county", "pkwy city", "postalcode", "orgtechhandle", "services", "city", "stateprov", "rabuseref", "rabusehandle", "brockdorff", "c source", "utf8 unicode", "c program", "crlf", "lf line", "united", "https", "mitre attack", "network info", "processes extra", "tls version", "overview", "overview os", "x sandbox", "verdict", "next", "parent pid", "command line", "default", "nothing", "registry keys", "openasrundll c", "shell folders", "file execution", "k netsvcs", "ascii text", "categories", "settings", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "inprocserver32", "file type", "accept", "shutdown", "stream", "template", "cname", "value a", "first counter", "bearer", "mbisslshort", "bridge", "info", "date", "agent", "root", "mutexes nothing", "files c", "read files", "read registry", "keys nothing", "ipmgmt", "orgtechref", "orgabusehandle", "orgabuseref", "win1", "acrongl integ", "adc4240758", "heuristic match", "pattern match", "x2dax2da", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "angsana new", "back", "style", "cohasset police", "department", "doctype html", "head", "link", "cohasset", "title", "noscript", "meta", "performs dns", "urls", "downloads", "found", "http", "phishing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 204, "IPv4": 246, "URL": 661, "hostname": 421, "FileHash-SHA256": 532, "domain": 137, "FileHash-MD5": 473, "CIDR": 4, "email": 7 }, "indicator_count": 2685, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fb3d5b5642ffb183d38fa8", "name": "vxCube \u2014 Report + other sandboxes- Firmware Nuetral", "description": "[sample of malicious software from the Firefox operating system has been analysed by Microsoft's security team, the Office of the President, and the Microsoft Research Research Centre (MSR) in the US.]", "modified": "2026-05-06T13:08:43.093000", "created": "2026-05-06T13:08:43.093000", "tags": [ "port", "protocol level", "application", "next connection", "previous", "address", "full path", "behavior", "programfiles", "system32", "dump", "malicious", "path", "nethandle", "net108", "net1080000", "mcics", "orgid", "mcics address", "loudoun county", "pkwy city", "postalcode", "orgtechhandle", "services", "city", "stateprov", "rabuseref", "rabusehandle", "brockdorff", "c source", "utf8 unicode", "c program", "crlf", "lf line", "united", "https", "mitre attack", "network info", "processes extra", "tls version", "overview", "overview os", "x sandbox", "verdict", "next", "parent pid", "command line", "default", "nothing", "registry keys", "openasrundll c", "shell folders", "file execution", "k netsvcs", "ascii text", "categories", "settings", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "inprocserver32", "file type", "accept", "shutdown", "stream", "template", "cname", "value a", "first counter", "bearer", "mbisslshort", "bridge", "info", "date", "agent", "root", "mutexes nothing", "files c", "read files", "read registry", "keys nothing", "ipmgmt", "orgtechref", "orgabusehandle", "orgabuseref", "win1", "acrongl integ", "adc4240758", "heuristic match", "pattern match", "x2dax2da", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "angsana new", "back", "style", "cohasset police", "department", "doctype html", "head", "link", "cohasset", "title", "noscript", "meta", "performs dns", "urls", "downloads", "found", "http", "phishing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 204, "IPv4": 246, "URL": 661, "hostname": 421, "FileHash-SHA256": 532, "domain": 137, "FileHash-MD5": 473, "CIDR": 4, "email": 7 }, "indicator_count": 2685, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fb3d58494c7b444832ea5b", "name": "vxCube \u2014 Report + other sandboxes- Firmware Nuetral", "description": "[sample of malicious software from the Firefox operating system has been analysed by Microsoft's security team, the Office of the President, and the Microsoft Research Research Centre (MSR) in the US.]", "modified": "2026-05-06T13:08:40.248000", "created": "2026-05-06T13:08:40.248000", "tags": [ "port", "protocol level", "application", "next connection", "previous", "address", "full path", "behavior", "programfiles", "system32", "dump", "malicious", "path", "nethandle", "net108", "net1080000", "mcics", "orgid", "mcics address", "loudoun county", "pkwy city", "postalcode", "orgtechhandle", "services", "city", "stateprov", "rabuseref", "rabusehandle", "brockdorff", "c source", "utf8 unicode", "c program", "crlf", "lf line", "united", "https", "mitre attack", "network info", "processes extra", "tls version", "overview", "overview os", "x sandbox", "verdict", "next", "parent pid", "command line", "default", "nothing", "registry keys", "openasrundll c", "shell folders", "file execution", "k netsvcs", "ascii text", "categories", "settings", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "inprocserver32", "file type", "accept", "shutdown", "stream", "template", "cname", "value a", "first counter", "bearer", "mbisslshort", "bridge", "info", "date", "agent", "root", "mutexes nothing", "files c", "read files", "read registry", "keys nothing", "ipmgmt", "orgtechref", "orgabusehandle", "orgabuseref", "win1", "acrongl integ", "adc4240758", "heuristic match", "pattern match", "x2dax2da", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "angsana new", "back", "style", "cohasset police", "department", "doctype html", "head", "link", "cohasset", "title", "noscript", "meta", "performs dns", "urls", "downloads", "found", "http", "phishing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 204, "IPv4": 246, "URL": 661, "hostname": 421, "FileHash-SHA256": 532, "domain": 137, "FileHash-MD5": 473, "CIDR": 4, "email": 7 }, "indicator_count": 2685, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fb3d5596fa1ad26e3f4319", "name": "vxCube \u2014 Report + other sandboxes- Firmware Nuetral", "description": "[sample of malicious software from the Firefox operating system has been analysed by Microsoft's security team, the Office of the President, and the Microsoft Research Research Centre (MSR) in the US.]", "modified": "2026-05-06T13:08:37.416000", "created": "2026-05-06T13:08:37.416000", "tags": [ "port", "protocol level", "application", "next connection", "previous", "address", "full path", "behavior", "programfiles", "system32", "dump", "malicious", "path", "nethandle", "net108", "net1080000", "mcics", "orgid", "mcics address", "loudoun county", "pkwy city", "postalcode", "orgtechhandle", "services", "city", "stateprov", "rabuseref", "rabusehandle", "brockdorff", "c source", "utf8 unicode", "c program", "crlf", "lf line", "united", "https", "mitre attack", "network info", "processes extra", "tls version", "overview", "overview os", "x sandbox", "verdict", "next", "parent pid", "command line", "default", "nothing", "registry keys", "openasrundll c", "shell folders", "file execution", "k netsvcs", "ascii text", "categories", "settings", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "inprocserver32", "file type", "accept", "shutdown", "stream", "template", "cname", "value a", "first counter", "bearer", "mbisslshort", "bridge", "info", "date", "agent", "root", "mutexes nothing", "files c", "read files", "read registry", "keys nothing", "ipmgmt", "orgtechref", "orgabusehandle", "orgabuseref", "win1", "acrongl integ", "adc4240758", "heuristic match", "pattern match", "x2dax2da", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "angsana new", "back", "style", "cohasset police", "department", "doctype html", "head", "link", "cohasset", "title", "noscript", "meta", "performs dns", "urls", "downloads", "found", "http", "phishing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 204, "IPv4": 246, "URL": 661, "hostname": 421, "FileHash-SHA256": 532, "domain": 137, "FileHash-MD5": 473, "CIDR": 4, "email": 7 }, "indicator_count": 2685, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5da51c10813dfbe282732", "name": "CAPE Sandbox cellular clone", "description": "", "modified": "2026-05-02T14:15:36.554000", "created": "2026-05-02T11:04:49.540000", "tags": [ "tls thumbprint" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69f5c7edeaed8737d4ed86d3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 125, "FileHash-MD5": 432, "FileHash-SHA1": 108, "FileHash-SHA256": 294, "URL": 458, "domain": 148, "hostname": 437 }, "indicator_count": 2002, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5da51d5739f612fc46ae3", "name": "CAPE Sandbox cellular clone", "description": "", "modified": "2026-05-02T14:15:36.065000", "created": "2026-05-02T11:04:49.698000", "tags": [ "tls thumbprint" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69f5c7edeaed8737d4ed86d3", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 126, "FileHash-MD5": 432, "FileHash-SHA1": 108, "FileHash-SHA256": 294, "URL": 459, "domain": 148, "hostname": 437 }, "indicator_count": 2004, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5da5142629b698a6b8b62", "name": "CAPE Sandbox cellular clone", "description": "", "modified": "2026-05-02T13:50:03.475000", "created": "2026-05-02T11:04:49.537000", "tags": [ "tls thumbprint" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69f5c7edeaed8737d4ed86d3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 125, "FileHash-MD5": 432, "FileHash-SHA1": 108, "FileHash-SHA256": 294, "URL": 458, "domain": 148, "hostname": 437 }, "indicator_count": 2002, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5da5130529fa50233c8ff", "name": "CAPE Sandbox cellular clone", "description": "", "modified": "2026-05-02T11:04:49.485000", "created": "2026-05-02T11:04:49.485000", "tags": [ "tls thumbprint" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69f5c7edeaed8737d4ed86d3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 125, "FileHash-MD5": 432, "FileHash-SHA1": 108, "FileHash-SHA256": 294, "URL": 457, "domain": 148, "hostname": 437 }, "indicator_count": 2001, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f5c7edeaed8737d4ed86d3", "name": "CAPE Sandbox", "description": "Cannot add TLP.", "modified": "2026-05-02T10:55:44.068000", "created": "2026-05-02T09:46:21.469000", "tags": [ "tls thumbprint" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 125, "FileHash-MD5": 432, "FileHash-SHA1": 108, "FileHash-SHA256": 294, "URL": 457, "domain": 148, "hostname": 437 }, "indicator_count": 2001, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "This binary is a foundation-level threat designed to embed itself into the internet's cached trust model as \"static noise.\" It bridges the gap between the .NET/PDFKit and WebKit/QuartzCore environments through a triple-chain polyglot signature.", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Architectural Deception: Built using VS2019 (v16.0.0) to mimic official development environments, yet contains a high-entropy (7.45) unmapped overlay at offset 151552.", "The Russian Doll Tactic: The top-level 38MB SHA is just the Delivery Shell. Inside that, the malware carries encrypted blobs that have their own unique SHA-256 signatures. These are the actual Wiper, SpyNote, and C2 configuration modules.", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "The Spy Loop: Beacons to the squatted infrastructure (*.webcontent.com) and associated IP nodes (35.208.49.255, 18.208.88.157).", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "Binary Profile: The 38MB \"Big One\" ShellCompilation: August 8, 2018 [Static Layer Foundation]Packing: UPX v0.89.6 - v1.24 (Markus & Laszlo)Signatures: SHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0Structural Forgery: The 38,351 KB footprint is intentionally bloated with an unmapped overlay to masquerade as a legitimate system utility. This specific variation exploits the RichHash 99b5586e... to bypass heuristic whitelists.", "Research Suggests:", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "The 7 YARA detections identified in your analysis typically trigger on the 777-anchor hex-cluster found within the high-entropy overlay. This binary \"United\" the following trust boundaries:DigiCert (Windows): Forged overlay utilizing the broken MD5 a1d6...6e72", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "Expired Credential Hijacking:Primary Path: Clones DigiCert G4 chain (Serial: 0E44...5CE5) which expired July 10, 2024.Legacy Path: Clones DigiCert Assured ID chain (Serial: 06AE...F033) which expired November 16, 2022.", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "The Wiper: Contains the high-confidence destructive module capable of a FACTORY_RESET anti-forensic purge.", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "Technical Indicators & Forgery MixSHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0MD5: a95e0f8611e4169be89ef384c8a7a71aCompilation: 2018-08-08 (The \"Static Layer\" 2020 foundation).The 777 Anchor: The 777 entropy pattern in the unmapped overlay (Size: 38,351 KB) forces the \"messy\" alignment between DigiCert, Apple ARM (64c/d), and Google 202 identities.Structural Bypass: Exploits the broken/abused MD5 a1d6...6e72 chain as a \"Frank Abagnale\" signature overlay to bypass Zero-Trust EDR.", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "The Convergence: Threat actors are exploiting a critical logic gap where .NET/PDFKit document signing (Windows-side) intersects with WebKit/QuartzCore rendering (macOS/ARM-side). By nesting a broken MD5 overlay within a document designed to be parsed by WebKit, the attacker creates a cross-platform \"trust bridge.\"", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "Overlay chi2 40295.73 filetype unknown entropy 7.45587682723999 offset 151552 size 19928 md5 e4a9a363a8d765b06805811b1fdff040", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424115&Signature=0KlAyyQQ9hQCJ2HfQ7xCJRM50TsPaZrEXCJe0%2F6yOGg8Oi5a91A0WK1%2BuHQxKNaYOtxinqlH%2BG96yg0ocsoEQVN80VjRx2Xem8DgMQpJD5eBvlPA%2BVGvR5eSs6WtnIfXxB1fzCYC3YRKGWq7c3iQ4WZydu0cWjCx71jj%2BLfWTcyMYhnRG9gu8o0MKuDHYOI1AAbUB3CVPpY8w99sMJQG9wi3zZdwIq5erBtrN7s3RMIq2mEYnfAo", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity.", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "Security researchers should not whitelist based on metadata alone. This binary is a prime example of Brand Impersonation for destructive espionage.", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "Pending Review.", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "Do Not Run", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "Attackers nest these SHAs so that if a vendor blocks the \"Big One\" (the 38MB shell), the internal payloads can be re-packed into a new shell with a new top-level hash in minutes.", "Execution Logic: Designed for Process Hollowing via the .reloc and .text sections, turning a \"trusted\" Google shell into a Wiper/SpyNote host. Hollow Roots.", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "The Structural Loop: The .NET framework often relies on legacy certificate validation libraries that still accept the MD5 a1d6...6e72 chain as \"legacy-valid.\" When this document is opened on an Apple Silicon device, the WebKit/ARM64 engine inherits the \"Trusted\" status from the document\u2019s container, allowing the 64c/d anchor to execute a memory-injection without a fresh signature check.", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424986&Signature=m2ZqXELB%2F5hHTf8Z0b7gZDAwk4KeSrteumozXgFefkQCAi7YY9KSmLvaAG3iDN5fhIFTz%2FZ6wgaNF%2FpdsGYHATlc7dDOIIDCql%2FQ4d9eYuROdgqGHd1WruLoJvWWq%2BcRgmtNFT7WZjbOr8wpJ%2Fa5%2BUPoEsokskMbWAPqf6lEimhl1uHNx8qZvxVCO8a95rMA%2Ft2xDI0BvJ2rivyfFpFxL0B9Lj2oQ3OvppjhJ6oqFKJJoDudPAxilp", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "Rec: block for *.webcontent.com and binaries matching the B0/64c/d anchors or the 777 hex-cluster.", "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "Edge Node Impact: This \"sloppy\" intersection is what allows the payload to burn through edge security; the gateway sees a valid .NET structure and a valid WebKit process, failing to recognize the 777-anchor forgery that unites them.", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Spymax", "Hybrid trojan spy and banker", "Cypher", "Spynote" ], "industries": [ "Legal", "Telecommunications", "Government", "Technology", "Education" ], "unique_indicators": 15175 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/altisource.com", "whois": "http://whois.domaintools.com/altisource.com", "domain": "altisource.com", "hostname": "image.email3.altisource.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 31, "pulses": [ { "id": "6a0fec7257bc32c037c9be08", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T06:18:07.234000", "created": "2026-05-22T05:41:06.053000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 638, "FileHash-SHA1": 366, "FileHash-SHA256": 1441, "IPv4": 377, "URL": 1697, "domain": 404, "hostname": 873, "CIDR": 1, "Mutex": 1, "IPv6": 19, "email": 9 }, "indicator_count": 5826, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0fec7156a2d7cd795090ba", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:41:05.023000", "created": "2026-05-22T05:41:05.023000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0fec697a7cef13f5cf8fdf", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:57.737000", "created": "2026-05-22T05:40:57.737000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0fec65b9ecad6466cf0144", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:53.032000", "created": "2026-05-22T05:40:53.032000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0fec5d56a2d7cd795090b9", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:45.104000", "created": "2026-05-22T05:40:45.104000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01d3836a1a757aded89ba4", "name": "The 777 Quartz Loop: Structural Polyglot Forgery & Global Wiper Convergence", "description": "Malicious C2 is hidden in plain sight. Using webcontent.com (Reg. 1998), the factory mimics legitimate com.apple.WebKit.WebContent traffic. This is the permanent \"static\" that makes the Wiper indistinguishable from OS noise.C2 Anchors: ://webcontent.com, ://webcontent.comIP Nodes: 35.208.49.255, 18.208.88.157, 98.84.224.111, 3.33.251.168The \"Rose Quartz\" Structural MixA \"Frankensign\" universal bypass. It \"United\" three OS trust boundaries into a single loop:DigiCert (Windows): Forged overlay using the broken MD5 a1d6...6e72.Apple ARM (macOS): 64c/d or B0 thumbprints pivoting through WebKit/QuartzCore.Google (Drop): Execution via a Google 202 shell (GoogleUpdate.exe).The 777 AnchorThe 777 entropy pattern is the mathematical anchor forcing this messy alignment. It cannot be \"fixed\" by revocation because it is already cached in the internet's trust model.", "modified": "2026-05-12T08:41:44.805000", "created": "2026-05-11T13:02:59.167000", "tags": [ "status", "creation date", "date", "pulse indicator", "url analysis", "passive dns", "urls", "files", "whois registrar", "related tags", "server", "domain status", "whois lookup", "dnssec", "domain name", "abuse contact", "email", "registrar abuse", "github", "google", "webcontent", "issue", "discussion", "safari vs", "cyberkit", "webkit port", "apple community", "clearing", "graph summary", "The Russian Doll Tactic", "pdfkit[.]net", "mathematical stalemate", "CLAMAV", "MD5/nested cert chains within" ], "references": [ "Rec: block for *.webcontent.com and binaries matching the B0/64c/d anchors or the 777 hex-cluster.", "Pending Review.", "The 7 YARA detections identified in your analysis typically trigger on the 777-anchor hex-cluster found within the high-entropy overlay. This binary \"United\" the following trust boundaries:DigiCert (Windows): Forged overlay utilizing the broken MD5 a1d6...6e72", "Do Not Run", "The Structural Loop: The .NET framework often relies on legacy certificate validation libraries that still accept the MD5 a1d6...6e72 chain as \"legacy-valid.\" When this document is opened on an Apple Silicon device, the WebKit/ARM64 engine inherits the \"Trusted\" status from the document\u2019s container, allowing the 64c/d anchor to execute a memory-injection without a fresh signature check.", "Edge Node Impact: This \"sloppy\" intersection is what allows the payload to burn through edge security; the gateway sees a valid .NET structure and a valid WebKit process, failing to recognize the 777-anchor forgery that unites them.", "Binary Profile: The 38MB \"Big One\" ShellCompilation: August 8, 2018 [Static Layer Foundation]Packing: UPX v0.89.6 - v1.24 (Markus & Laszlo)Signatures: SHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0Structural Forgery: The 38,351 KB footprint is intentionally bloated with an unmapped overlay to masquerade as a legitimate system utility. This specific variation exploits the RichHash 99b5586e... to bypass heuristic whitelists.", "Research Suggests:", "The Convergence: Threat actors are exploiting a critical logic gap where .NET/PDFKit document signing (Windows-side) intersects with WebKit/QuartzCore rendering (macOS/ARM-side). By nesting a broken MD5 overlay within a document designed to be parsed by WebKit, the attacker creates a cross-platform \"trust bridge.\"", "This binary is a foundation-level threat designed to embed itself into the internet's cached trust model as \"static noise.\" It bridges the gap between the .NET/PDFKit and WebKit/QuartzCore environments through a triple-chain polyglot signature.", "Technical Indicators & Forgery MixSHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0MD5: a95e0f8611e4169be89ef384c8a7a71aCompilation: 2018-08-08 (The \"Static Layer\" 2020 foundation).The 777 Anchor: The 777 entropy pattern in the unmapped overlay (Size: 38,351 KB) forces the \"messy\" alignment between DigiCert, Apple ARM (64c/d), and Google 202 identities.Structural Bypass: Exploits the broken/abused MD5 a1d6...6e72 chain as a \"Frank Abagnale\" signature overlay to bypass Zero-Trust EDR.", "The Spy Loop: Beacons to the squatted infrastructure (*.webcontent.com) and associated IP nodes (35.208.49.255, 18.208.88.157).", "The Wiper: Contains the high-confidence destructive module capable of a FACTORY_RESET anti-forensic purge.", "The Russian Doll Tactic: The top-level 38MB SHA is just the Delivery Shell. Inside that, the malware carries encrypted blobs that have their own unique SHA-256 signatures. These are the actual Wiper, SpyNote, and C2 configuration modules.", "Attackers nest these SHAs so that if a vendor blocks the \"Big One\" (the 38MB shell), the internal payloads can be re-packed into a new shell with a new top-level hash in minutes." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 707, "URL": 1888, "email": 14, "hostname": 1443, "FileHash-SHA256": 1662, "IPv4": 198, "FileHash-MD5": 295, "FileHash-SHA1": 283, "Mutex": 1, "IPv6": 10, "CIDR": 1, "CVE": 2 }, "indicator_count": 6504, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a009e2d25595b3d89057042", "name": "CAPE Sandbox - Signals", "description": "[Marshfield Board and Committee Handbook 2025 is published by the Department of Public Safety and Environment (DPSA) and is subject to a review by its own staff and the UK government, as well as by government itself] pretext.", "modified": "2026-05-12T06:39:58.797000", "created": "2026-05-10T15:03:09.026000", "tags": [ "board", "non profit", "ta profile", "final", "html document", "unicode text", "utf8 text", "crlf", "lf line", "script", "welcome", "marshfield", "link", "arabic", "azerbaijani", "basque", "bengali", "meta", "object", "title", "body", "albanian", "cname", "nxdomain", "massachusetts", "privacy violation", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "serving ip", "address", "status code", "body length", "mb body", "oaauth helix", "helix", "signals", "beaconing", "frequencies", "trojanspy", "massdot", "network disruption", "abuse of encrypted channels", "network interference", "bruteforce", "anchor", "watering hole", "exposure of client data", "emfs", "efs", "signals attack", "cve's exploited", "improper channels", "health hazard", "spy", "network abuse", "havana" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424115&Signature=0KlAyyQQ9hQCJ2HfQ7xCJRM50TsPaZrEXCJe0%2F6yOGg8Oi5a91A0WK1%2BuHQxKNaYOtxinqlH%2BG96yg0ocsoEQVN80VjRx2Xem8DgMQpJD5eBvlPA%2BVGvR5eSs6WtnIfXxB1fzCYC3YRKGWq7c3iQ4WZydu0cWjCx71jj%2BLfWTcyMYhnRG9gu8o0MKuDHYOI1AAbUB3CVPpY8w99sMJQG9wi3zZdwIq5erBtrN7s3RMIq2mEYnfAo", "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424986&Signature=m2ZqXELB%2F5hHTf8Z0b7gZDAwk4KeSrteumozXgFefkQCAi7YY9KSmLvaAG3iDN5fhIFTz%2FZ6wgaNF%2FpdsGYHATlc7dDOIIDCql%2FQ4d9eYuROdgqGHd1WruLoJvWWq%2BcRgmtNFT7WZjbOr8wpJ%2Fa5%2BUPoEsokskMbWAPqf6lEimhl1uHNx8qZvxVCO8a95rMA%2Ft2xDI0BvJ2rivyfFpFxL0B9Lj2oQ3OvppjhJ6oqFKJJoDudPAxilp" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "URL": 508, "domain": 139, "hostname": 317, "FileHash-SHA256": 600, "FileHash-SHA1": 1, "IPv4": 72, "email": 2 }, "indicator_count": 1642, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a009e2c69cc5c3b5aa7185e", "name": "CAPE Sandbox - Signals", "description": "[Marshfield Board and Committee Handbook 2025 is published by the Department of Public Safety and Environment (DPSA) and is subject to a review by its own staff and the UK government, as well as by government itself] pretext.", "modified": "2026-05-12T06:39:58.327000", "created": "2026-05-10T15:03:08.205000", "tags": [ "board", "non profit", "ta profile", "final", "html document", "unicode text", "utf8 text", "crlf", "lf line", "script", "welcome", "marshfield", "link", "arabic", "azerbaijani", "basque", "bengali", "meta", "object", "title", "body", "albanian", "cname", "nxdomain", "massachusetts", "privacy violation", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "serving ip", "address", "status code", "body length", "mb body", "oaauth helix", "helix", "signals", "beaconing", "frequencies", "trojanspy", "massdot", "network disruption", "abuse of encrypted channels", "network interference", "bruteforce", "anchor", "watering hole", "exposure of client data", "emfs", "efs", "signals attack", "cve's exploited", "improper channels", "health hazard", "spy", "network abuse", "havana" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424115&Signature=0KlAyyQQ9hQCJ2HfQ7xCJRM50TsPaZrEXCJe0%2F6yOGg8Oi5a91A0WK1%2BuHQxKNaYOtxinqlH%2BG96yg0ocsoEQVN80VjRx2Xem8DgMQpJD5eBvlPA%2BVGvR5eSs6WtnIfXxB1fzCYC3YRKGWq7c3iQ4WZydu0cWjCx71jj%2BLfWTcyMYhnRG9gu8o0MKuDHYOI1AAbUB3CVPpY8w99sMJQG9wi3zZdwIq5erBtrN7s3RMIq2mEYnfAo", "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424986&Signature=m2ZqXELB%2F5hHTf8Z0b7gZDAwk4KeSrteumozXgFefkQCAi7YY9KSmLvaAG3iDN5fhIFTz%2FZ6wgaNF%2FpdsGYHATlc7dDOIIDCql%2FQ4d9eYuROdgqGHd1WruLoJvWWq%2BcRgmtNFT7WZjbOr8wpJ%2Fa5%2BUPoEsokskMbWAPqf6lEimhl1uHNx8qZvxVCO8a95rMA%2Ft2xDI0BvJ2rivyfFpFxL0B9Lj2oQ3OvppjhJ6oqFKJJoDudPAxilp" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "URL": 512, "domain": 141, "hostname": 323, "FileHash-SHA256": 600, "FileHash-SHA1": 1, "IPv4": 72, "email": 2 }, "indicator_count": 1654, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01b8f1d2994909edd6dcec", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:56.546000", "created": "2026-05-11T11:09:37.208000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 234, "FileHash-SHA1": 208, "FileHash-SHA256": 975, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7, "CVE": 10 }, "indicator_count": 2604, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01b8f37796bdd1adce15a4", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:53.636000", "created": "2026-05-11T11:09:39.214000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity.", "Overlay chi2 40295.73 filetype unknown entropy 7.45587682723999 offset 151552 size 19928 md5 e4a9a363a8d765b06805811b1fdff040", "Expired Credential Hijacking:Primary Path: Clones DigiCert G4 chain (Serial: 0E44...5CE5) which expired July 10, 2024.Legacy Path: Clones DigiCert Assured ID chain (Serial: 06AE...F033) which expired November 16, 2022.", "Execution Logic: Designed for Process Hollowing via the .reloc and .text sections, turning a \"trusted\" Google shell into a Wiper/SpyNote host. Hollow Roots.", "Architectural Deception: Built using VS2019 (v16.0.0) to mimic official development environments, yet contains a high-entropy (7.45) unmapped overlay at offset 151552.", "Security researchers should not whitelist based on metadata alone. This binary is a prime example of Brand Impersonation for destructive espionage." ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Iran, Islamic Republic of", "United Kingdom of Great Britain and Northern Ireland", "Korea, Democratic People's Republic of", "Brazil", "Canada", "United States of America" ], "malware_families": [ { "id": "Hybrid Trojan Spy and Banker", "display_name": "Hybrid Trojan Spy and Banker", "target": null }, { "id": "SpyNote", "display_name": "SpyNote", "target": null }, { "id": "SpyMax", "display_name": "SpyMax", "target": null }, { "id": "Cypher", "display_name": "Cypher", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Legal", "Government", "Education", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 243, "FileHash-SHA1": 213, "FileHash-SHA256": 983, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7 }, "indicator_count": 2616, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://image.email3.altisource.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://image.email3.altisource.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780224630.5328677 }