{ "type": "URL", "indicator": "https://libraries.mpsd.org", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://libraries.mpsd.org", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4335652562, "indicator": "https://libraries.mpsd.org", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "6a030a7e7af998b0bc50d255", "name": "Inbox Termination Flood VirusTotal report for download.rar", "description": "[Malicious: Rar.rar (Rar!S8:z}b), a free archive that can be downloaded via 7Zip or 7zip, for use in the Windows operating system.] This email has vast capbilities, some of the best are email flooding, retrieval, destruction, extraction, tasks and more. This email on 6/3/25 led a client into a wormhole that they never actually got the delievery of it. Just the compliance locked email that destroyed their identity. It appears the temp folder that housed in malicious scripts was made months prior. I could not upload the Cape sandbox. Bundled 58, dropped 58, ensuring you will never get your life back.", "modified": "2026-05-12T11:49:25.043000", "created": "2026-05-12T11:09:50.783000", "tags": [ "file type", "crlf line", "ascii text", "unicode text", "utf8 text", "html document", "json", "python script", "mitre attack", "network info", "window", "next", "flood email", "drops prompts", "malicious", "illegal", "gov", "crosstenant", "prepared months before in temp folder" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/86a27baba6d32b5c6fba49e2e99864c7d0feada360b55cfc63adb4383e58be77_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778583610&Signature=f3mubmpIGOjgn7yQIqVaPC8J5mcemkwpt3Yl3noIO7eheDcS0pvTXfJfGi4WzCTHzTXgjtWE36sh%2BSHtRa%2FHFX1lvvQnPgqQpvY%2FDVlhYYVKl1nwyiZFuUZliHBmes0%2FGUhViWWRiyYHxDkn7Yj7fV7EMQqnCtlxO%2FMVJf5%2BsmjEkpk%2Frahm4sEcFERizEQtsZBKSnnp%2B1v6RFDphsiX0Ri0ZISYRqmGpmH%2FGvP2%2FQKrXXc9br" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 212, "IPv4": 77, "URL": 398, "domain": 503, "hostname": 347, "email": 4 }, "indicator_count": 1557, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01d3836a1a757aded89ba4", "name": "The 777 Quartz Loop: Structural Polyglot Forgery & Global Wiper Convergence", "description": "Malicious C2 is hidden in plain sight. Using webcontent.com (Reg. 1998), the factory mimics legitimate com.apple.WebKit.WebContent traffic. This is the permanent \"static\" that makes the Wiper indistinguishable from OS noise.C2 Anchors: ://webcontent.com, ://webcontent.comIP Nodes: 35.208.49.255, 18.208.88.157, 98.84.224.111, 3.33.251.168The \"Rose Quartz\" Structural MixA \"Frankensign\" universal bypass. It \"United\" three OS trust boundaries into a single loop:DigiCert (Windows): Forged overlay using the broken MD5 a1d6...6e72.Apple ARM (macOS): 64c/d or B0 thumbprints pivoting through WebKit/QuartzCore.Google (Drop): Execution via a Google 202 shell (GoogleUpdate.exe).The 777 AnchorThe 777 entropy pattern is the mathematical anchor forcing this messy alignment. It cannot be \"fixed\" by revocation because it is already cached in the internet's trust model.", "modified": "2026-05-12T08:41:44.805000", "created": "2026-05-11T13:02:59.167000", "tags": [ "status", "creation date", "date", "pulse indicator", "url analysis", "passive dns", "urls", "files", "whois registrar", "related tags", "server", "domain status", "whois lookup", "dnssec", "domain name", "abuse contact", "email", "registrar abuse", "github", "google", "webcontent", "issue", "discussion", "safari vs", "cyberkit", "webkit port", "apple community", "clearing", "graph summary", "The Russian Doll Tactic", "pdfkit[.]net", "mathematical stalemate", "CLAMAV", "MD5/nested cert chains within" ], "references": [ "Rec: block for *.webcontent.com and binaries matching the B0/64c/d anchors or the 777 hex-cluster.", "Pending Review.", "The 7 YARA detections identified in your analysis typically trigger on the 777-anchor hex-cluster found within the high-entropy overlay. This binary \"United\" the following trust boundaries:DigiCert (Windows): Forged overlay utilizing the broken MD5 a1d6...6e72", "Do Not Run", "The Structural Loop: The .NET framework often relies on legacy certificate validation libraries that still accept the MD5 a1d6...6e72 chain as \"legacy-valid.\" When this document is opened on an Apple Silicon device, the WebKit/ARM64 engine inherits the \"Trusted\" status from the document\u2019s container, allowing the 64c/d anchor to execute a memory-injection without a fresh signature check.", "Edge Node Impact: This \"sloppy\" intersection is what allows the payload to burn through edge security; the gateway sees a valid .NET structure and a valid WebKit process, failing to recognize the 777-anchor forgery that unites them.", "Binary Profile: The 38MB \"Big One\" ShellCompilation: August 8, 2018 [Static Layer Foundation]Packing: UPX v0.89.6 - v1.24 (Markus & Laszlo)Signatures: SHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0Structural Forgery: The 38,351 KB footprint is intentionally bloated with an unmapped overlay to masquerade as a legitimate system utility. This specific variation exploits the RichHash 99b5586e... to bypass heuristic whitelists.", "Research Suggests:", "The Convergence: Threat actors are exploiting a critical logic gap where .NET/PDFKit document signing (Windows-side) intersects with WebKit/QuartzCore rendering (macOS/ARM-side). By nesting a broken MD5 overlay within a document designed to be parsed by WebKit, the attacker creates a cross-platform \"trust bridge.\"", "This binary is a foundation-level threat designed to embed itself into the internet's cached trust model as \"static noise.\" It bridges the gap between the .NET/PDFKit and WebKit/QuartzCore environments through a triple-chain polyglot signature.", "Technical Indicators & Forgery MixSHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0MD5: a95e0f8611e4169be89ef384c8a7a71aCompilation: 2018-08-08 (The \"Static Layer\" 2020 foundation).The 777 Anchor: The 777 entropy pattern in the unmapped overlay (Size: 38,351 KB) forces the \"messy\" alignment between DigiCert, Apple ARM (64c/d), and Google 202 identities.Structural Bypass: Exploits the broken/abused MD5 a1d6...6e72 chain as a \"Frank Abagnale\" signature overlay to bypass Zero-Trust EDR.", "The Spy Loop: Beacons to the squatted infrastructure (*.webcontent.com) and associated IP nodes (35.208.49.255, 18.208.88.157).", "The Wiper: Contains the high-confidence destructive module capable of a FACTORY_RESET anti-forensic purge.", "The Russian Doll Tactic: The top-level 38MB SHA is just the Delivery Shell. Inside that, the malware carries encrypted blobs that have their own unique SHA-256 signatures. These are the actual Wiper, SpyNote, and C2 configuration modules.", "Attackers nest these SHAs so that if a vendor blocks the \"Big One\" (the 38MB shell), the internal payloads can be re-packed into a new shell with a new top-level hash in minutes." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 707, "URL": 1888, "email": 14, "hostname": 1443, "FileHash-SHA256": 1662, "IPv4": 198, "FileHash-MD5": 295, "FileHash-SHA1": 283, "Mutex": 1, "IPv6": 10, "CIDR": 1, "CVE": 2 }, "indicator_count": 6504, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc4463f3401c7dcb6cec20", "name": "MIT/m attack + Cloudflare/CDN Masking", "description": "Actor is utilizing uncertified \"shadow\" domains to execute Adversary-in-the-Middle (AiTM) attacks. By avoiding SSL/TLS certificates entirely, the infrastructure stays invisible to automated certificate monitoring tools.TECHNICAL ANALYSISZero-Cert Stealth: The absence of certificate data on email.mime.audio is a deliberate evasion tactic. It prevents the domain from appearing in public certificate databases, allowing the \"fb hacker\" proxy to operate in total darkness.Session Interception: Traffic is routed through the 104 IP space via HTTP. This allows the attacker to strip encryption and harvest session cookies and MFA tokens in plaintext before they ever reach the legitimate service provider.Library Mimicry: The mime.audio naming convention is designed to trick system admins into thinking the traffic is legitimate Python or email-handling library activity rather than an external exfiltration attempt.", "modified": "2026-05-12T06:43:45.967000", "created": "2026-05-07T07:50:59.816000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 514, "domain": 164, "hostname": 167, "IPv4": 17, "URL": 214, "URI": 1, "Mutex": 2 }, "indicator_count": 1091, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01b8f1d2994909edd6dcec", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:56.546000", "created": "2026-05-11T11:09:37.208000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 234, "FileHash-SHA1": 208, "FileHash-SHA256": 975, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7, "CVE": 10 }, "indicator_count": 2604, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01b8f37796bdd1adce15a4", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:53.636000", "created": "2026-05-11T11:09:39.214000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity.", "Overlay chi2 40295.73 filetype unknown entropy 7.45587682723999 offset 151552 size 19928 md5 e4a9a363a8d765b06805811b1fdff040", "Expired Credential Hijacking:Primary Path: Clones DigiCert G4 chain (Serial: 0E44...5CE5) which expired July 10, 2024.Legacy Path: Clones DigiCert Assured ID chain (Serial: 06AE...F033) which expired November 16, 2022.", "Execution Logic: Designed for Process Hollowing via the .reloc and .text sections, turning a \"trusted\" Google shell into a Wiper/SpyNote host. Hollow Roots.", "Architectural Deception: Built using VS2019 (v16.0.0) to mimic official development environments, yet contains a high-entropy (7.45) unmapped overlay at offset 151552.", "Security researchers should not whitelist based on metadata alone. This binary is a prime example of Brand Impersonation for destructive espionage." ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Iran, Islamic Republic of", "United Kingdom of Great Britain and Northern Ireland", "Korea, Democratic People's Republic of", "Brazil", "Canada", "United States of America" ], "malware_families": [ { "id": "Hybrid Trojan Spy and Banker", "display_name": "Hybrid Trojan Spy and Banker", "target": null }, { "id": "SpyNote", "display_name": "SpyNote", "target": null }, { "id": "SpyMax", "display_name": "SpyMax", "target": null }, { "id": "Cypher", "display_name": "Cypher", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Legal", "Government", "Education", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 243, "FileHash-SHA1": 213, "FileHash-SHA256": 983, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7 }, "indicator_count": 2616, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fed9859e3d403a869a56d9", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-09T07:20:23.936000", "created": "2026-05-09T06:51:49.607000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 522, "IPv4": 409, "hostname": 645, "domain": 178, "URL": 786, "FileHash-SHA1": 288, "FileHash-SHA256": 392, "CVE": 1 }, "indicator_count": 3221, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f97a905451e3304319988b", "name": ".may 4 clone own on may 5", "description": "", "modified": "2026-05-07T02:57:38.229000", "created": "2026-05-05T05:05:20.493000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "69f7fa1a282840a6e0aa370c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 368, "FileHash-SHA256": 3143, "hostname": 2037, "IPv4": 186, "URL": 3288, "CIDR": 12, "email": 43, "domain": 1645, "URI": 1, "SSLCertFingerprint": 18, "CVE": 1 }, "indicator_count": 11083, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fb3d6585753bfdc08890a4", "name": "vxCube \u2014 Report + other sandboxes- Firmware Nuetral", "description": "[sample of malicious software from the Firefox operating system has been analysed by Microsoft's security team, the Office of the President, and the Microsoft Research Research Centre (MSR) in the US.]", "modified": "2026-05-06T13:54:34.222000", "created": "2026-05-06T13:08:53.749000", "tags": [ "port", "protocol level", "application", "next connection", "previous", "address", "full path", "behavior", "programfiles", "system32", "dump", "malicious", "path", "nethandle", "net108", "net1080000", "mcics", "orgid", "mcics address", "loudoun county", "pkwy city", "postalcode", "orgtechhandle", "services", "city", "stateprov", "rabuseref", "rabusehandle", "brockdorff", "c source", "utf8 unicode", "c program", "crlf", "lf line", "united", "https", "mitre attack", "network info", "processes extra", "tls version", "overview", "overview os", "x sandbox", "verdict", "next", "parent pid", "command line", "default", "nothing", "registry keys", "openasrundll c", "shell folders", "file execution", "k netsvcs", "ascii text", "categories", "settings", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "inprocserver32", "file type", "accept", "shutdown", "stream", "template", "cname", "value a", "first counter", "bearer", "mbisslshort", "bridge", "info", "date", "agent", "root", "mutexes nothing", "files c", "read files", "read registry", "keys nothing", "ipmgmt", "orgtechref", "orgabusehandle", "orgabuseref", "win1", "acrongl integ", "adc4240758", "heuristic match", "pattern match", "x2dax2da", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "angsana new", "back", "style", "cohasset police", "department", "doctype html", "head", "link", "cohasset", "title", "noscript", "meta", "performs dns", "urls", "downloads", "found", "http", "phishing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 204, "IPv4": 246, "URL": 662, "hostname": 421, "FileHash-SHA256": 532, "domain": 137, "FileHash-MD5": 473, "CIDR": 4, "email": 7, "CVE": 1 }, "indicator_count": 2687, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fb3d632800402652054b73", "name": "vxCube \u2014 Report + other sandboxes- Firmware Nuetral", "description": "[sample of malicious software from the Firefox operating system has been analysed by Microsoft's security team, the Office of the President, and the Microsoft Research Research Centre (MSR) in the US.]", "modified": "2026-05-06T13:08:51.417000", "created": "2026-05-06T13:08:51.417000", "tags": [ "port", "protocol level", "application", "next connection", "previous", "address", "full path", "behavior", "programfiles", "system32", "dump", "malicious", "path", "nethandle", "net108", "net1080000", "mcics", "orgid", "mcics address", "loudoun county", "pkwy city", "postalcode", "orgtechhandle", "services", "city", "stateprov", "rabuseref", "rabusehandle", "brockdorff", "c source", "utf8 unicode", "c program", "crlf", "lf line", "united", "https", "mitre attack", "network info", "processes extra", "tls version", "overview", "overview os", "x sandbox", "verdict", "next", "parent pid", "command line", "default", "nothing", "registry keys", "openasrundll c", "shell folders", "file execution", "k netsvcs", "ascii text", "categories", "settings", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "inprocserver32", "file type", "accept", "shutdown", "stream", "template", "cname", "value a", "first counter", "bearer", "mbisslshort", "bridge", "info", "date", "agent", "root", "mutexes nothing", "files c", "read files", "read registry", "keys nothing", "ipmgmt", "orgtechref", "orgabusehandle", "orgabuseref", "win1", "acrongl integ", "adc4240758", "heuristic match", "pattern match", "x2dax2da", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "angsana new", "back", "style", "cohasset police", "department", "doctype html", "head", "link", "cohasset", "title", "noscript", "meta", "performs dns", "urls", "downloads", "found", "http", "phishing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 204, "IPv4": 246, "URL": 661, "hostname": 421, "FileHash-SHA256": 532, "domain": 137, "FileHash-MD5": 473, "CIDR": 4, "email": 7 }, "indicator_count": 2685, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fb3d628de55fd4fef0e2bc", "name": "vxCube \u2014 Report + other sandboxes- Firmware Nuetral", "description": "[sample of malicious software from the Firefox operating system has been analysed by Microsoft's security team, the Office of the President, and the Microsoft Research Research Centre (MSR) in the US.]", "modified": "2026-05-06T13:08:50.546000", "created": "2026-05-06T13:08:50.546000", "tags": [ "port", "protocol level", "application", "next connection", "previous", "address", "full path", "behavior", "programfiles", "system32", "dump", "malicious", "path", "nethandle", "net108", "net1080000", "mcics", "orgid", "mcics address", "loudoun county", "pkwy city", "postalcode", "orgtechhandle", "services", "city", "stateprov", "rabuseref", "rabusehandle", "brockdorff", "c source", "utf8 unicode", "c program", "crlf", "lf line", "united", "https", "mitre attack", "network info", "processes extra", "tls version", "overview", "overview os", "x sandbox", "verdict", "next", "parent pid", "command line", "default", "nothing", "registry keys", "openasrundll c", "shell folders", "file execution", "k netsvcs", "ascii text", "categories", "settings", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "inprocserver32", "file type", "accept", "shutdown", "stream", "template", "cname", "value a", "first counter", "bearer", "mbisslshort", "bridge", "info", "date", "agent", "root", "mutexes nothing", "files c", "read files", "read registry", "keys nothing", "ipmgmt", "orgtechref", "orgabusehandle", "orgabuseref", "win1", "acrongl integ", "adc4240758", "heuristic match", "pattern match", "x2dax2da", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "angsana new", "back", "style", "cohasset police", "department", "doctype html", "head", "link", "cohasset", "title", "noscript", "meta", "performs dns", "urls", "downloads", "found", "http", "phishing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 204, "IPv4": 246, "URL": 661, "hostname": 421, "FileHash-SHA256": 532, "domain": 137, "FileHash-MD5": 473, "CIDR": 4, "email": 7 }, "indicator_count": 2685, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fb3d5b5642ffb183d38fa8", "name": "vxCube \u2014 Report + other sandboxes- Firmware Nuetral", "description": "[sample of malicious software from the Firefox operating system has been analysed by Microsoft's security team, the Office of the President, and the Microsoft Research Research Centre (MSR) in the US.]", "modified": "2026-05-06T13:08:43.093000", "created": "2026-05-06T13:08:43.093000", "tags": [ "port", "protocol level", "application", "next connection", "previous", "address", "full path", "behavior", "programfiles", "system32", "dump", "malicious", "path", "nethandle", "net108", "net1080000", "mcics", "orgid", "mcics address", "loudoun county", "pkwy city", "postalcode", "orgtechhandle", "services", "city", "stateprov", "rabuseref", "rabusehandle", "brockdorff", "c source", "utf8 unicode", "c program", "crlf", "lf line", "united", "https", "mitre attack", "network info", "processes extra", "tls version", "overview", "overview os", "x sandbox", "verdict", "next", "parent pid", "command line", "default", "nothing", "registry keys", "openasrundll c", "shell folders", "file execution", "k netsvcs", "ascii text", "categories", "settings", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "inprocserver32", "file type", "accept", "shutdown", "stream", "template", "cname", "value a", "first counter", "bearer", "mbisslshort", "bridge", "info", "date", "agent", "root", "mutexes nothing", "files c", "read files", "read registry", "keys nothing", "ipmgmt", "orgtechref", "orgabusehandle", "orgabuseref", "win1", "acrongl integ", "adc4240758", "heuristic match", "pattern match", "x2dax2da", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "angsana new", "back", "style", "cohasset police", "department", "doctype html", "head", "link", "cohasset", "title", "noscript", "meta", "performs dns", "urls", "downloads", "found", "http", "phishing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 204, "IPv4": 246, "URL": 661, "hostname": 421, "FileHash-SHA256": 532, "domain": 137, "FileHash-MD5": 473, "CIDR": 4, "email": 7 }, "indicator_count": 2685, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fb3d58494c7b444832ea5b", "name": "vxCube \u2014 Report + other sandboxes- Firmware Nuetral", "description": "[sample of malicious software from the Firefox operating system has been analysed by Microsoft's security team, the Office of the President, and the Microsoft Research Research Centre (MSR) in the US.]", "modified": "2026-05-06T13:08:40.248000", "created": "2026-05-06T13:08:40.248000", "tags": [ "port", "protocol level", "application", "next connection", "previous", "address", "full path", "behavior", "programfiles", "system32", "dump", "malicious", "path", "nethandle", "net108", "net1080000", "mcics", "orgid", "mcics address", "loudoun county", "pkwy city", "postalcode", "orgtechhandle", "services", "city", "stateprov", "rabuseref", "rabusehandle", "brockdorff", "c source", "utf8 unicode", "c program", "crlf", "lf line", "united", "https", "mitre attack", "network info", "processes extra", "tls version", "overview", "overview os", "x sandbox", "verdict", "next", "parent pid", "command line", "default", "nothing", "registry keys", "openasrundll c", "shell folders", "file execution", "k netsvcs", "ascii text", "categories", "settings", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "inprocserver32", "file type", "accept", "shutdown", "stream", "template", "cname", "value a", "first counter", "bearer", "mbisslshort", "bridge", "info", "date", "agent", "root", "mutexes nothing", "files c", "read files", "read registry", "keys nothing", "ipmgmt", "orgtechref", "orgabusehandle", "orgabuseref", "win1", "acrongl integ", "adc4240758", "heuristic match", "pattern match", "x2dax2da", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "angsana new", "back", "style", "cohasset police", "department", "doctype html", "head", "link", "cohasset", "title", "noscript", "meta", "performs dns", "urls", "downloads", "found", "http", "phishing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 204, "IPv4": 246, "URL": 661, "hostname": 421, "FileHash-SHA256": 532, "domain": 137, "FileHash-MD5": 473, "CIDR": 4, "email": 7 }, "indicator_count": 2685, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fb3d5596fa1ad26e3f4319", "name": "vxCube \u2014 Report + other sandboxes- Firmware Nuetral", "description": "[sample of malicious software from the Firefox operating system has been analysed by Microsoft's security team, the Office of the President, and the Microsoft Research Research Centre (MSR) in the US.]", "modified": "2026-05-06T13:08:37.416000", "created": "2026-05-06T13:08:37.416000", "tags": [ "port", "protocol level", "application", "next connection", "previous", "address", "full path", "behavior", "programfiles", "system32", "dump", "malicious", "path", "nethandle", "net108", "net1080000", "mcics", "orgid", "mcics address", "loudoun county", "pkwy city", "postalcode", "orgtechhandle", "services", "city", "stateprov", "rabuseref", "rabusehandle", "brockdorff", "c source", "utf8 unicode", "c program", "crlf", "lf line", "united", "https", "mitre attack", "network info", "processes extra", "tls version", "overview", "overview os", "x sandbox", "verdict", "next", "parent pid", "command line", "default", "nothing", "registry keys", "openasrundll c", "shell folders", "file execution", "k netsvcs", "ascii text", "categories", "settings", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "inprocserver32", "file type", "accept", "shutdown", "stream", "template", "cname", "value a", "first counter", "bearer", "mbisslshort", "bridge", "info", "date", "agent", "root", "mutexes nothing", "files c", "read files", "read registry", "keys nothing", "ipmgmt", "orgtechref", "orgabusehandle", "orgabuseref", "win1", "acrongl integ", "adc4240758", "heuristic match", "pattern match", "x2dax2da", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "angsana new", "back", "style", "cohasset police", "department", "doctype html", "head", "link", "cohasset", "title", "noscript", "meta", "performs dns", "urls", "downloads", "found", "http", "phishing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 204, "IPv4": 246, "URL": 661, "hostname": 421, "FileHash-SHA256": 532, "domain": 137, "FileHash-MD5": 473, "CIDR": 4, "email": 7 }, "indicator_count": 2685, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fae1934f6e33a4ccf7541f", "name": "Habo Analysis System + My own Iocs - Dropped Spybot Extraction with Invalid X[RAR] Cert.", "description": "Certificate Stuffing & Root Exploitation- This binary employs a high-level Certificate Grafting technique. The threat actor has manually appended a chain of X509 certificates to the file's overlay to manipulate the host's trust store.The Microsoft Anchor: The inclusion of the Microsoft Code Verification Root (Serial: 610C1206...) is a strategic TTP. By pinning a defunct Safer Networking Ltd. certificate to a Microsoft root, the binary aims to exploit Windows Authenticode logic which may default to \"Trusted\" if the root is recognized, regardless of leaf expiration.Signature Status: Invalid/Not Signed. Despite the 22MB of certificate metadata, the Authentihash does not match. The certificates are static artifacts in the overlay, not functional cryptographic signatures.2. Hardware-Level Evasion (RDTSC)The sample contains Direct CPU Clock Access (RDTSC) instructions. This is a non-standard behavior for legitimate installers and is used for Anti-Analysis (T1497.001): See References for more information.", "modified": "2026-05-06T08:11:11.834000", "created": "2026-05-06T06:37:07.013000", "tags": [ "technology", "subdomains", "date", "domain status", "registrar abuse", "handle", "dnssec", "registrar", "record type", "ttl value", "rdap", "rdap database", "entity", "code", "contact", "iana registrar", "markmonitor", "domain name", "registrant city", "us registrant", "email", "registrant fax", "server", "iana id", "contact phone", "registrar url", "registrar whois", "search", "filesspybot", "detail info", "tickcount", "text", "classname", "processid", "threadid", "startaddress", "parameter", "window", "behaviour", "spybot", "class", "shell", "find", "serial number", "verisign time", "stamping", "ca valid", "from", "code signing", "algorithm", "thumbprint", "signer", "ca name", "verisign class", "symantec time", "root valid", "neutral", "ascii text", "russian neutral", "data rtdialog", "chromium" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778048469&Signature=3y8LGGE52IUhhx7hMK9GsZthoRtiom8xy%2Fc5fyc0MJCsTSAblPs7nnE0YLV9E0mixvkxzBSCDGMpIt5vnQeTQ8t23sFEPJfm6SpG8DL4RXYGw7c6UALrxOofauzPiAuvBf%2Bnw5biEXDjWFuplGYRt83ZncF0nR5Bj4iwk2qDJ0xdgl86BUkgtNNd04hN16UsjAaL%2BojrFR4%2Fi%2F49ETbftnR2dvnXyVfPU0e0AF2TTg2hk8In2OMG", "The PE creation date is 2013, but the first global submission was 2021. This indicates a \"dormant\" or \"re-packed\" binary where a legacy installer was modified to serve as a modern dropper.Staged Execution: The binary drops spybotsd162.exe and .tmp variants into %TEMP%. This creates a TTP Chain where the initial \"trusted\" process spawns secondary, unsigned payloads to establish persistence while the user believes they are running a routine security scan.", "Temporal Inconsistency & PersistenceThe 8-Year Gap.", "The code measures CPU cycles to detect the \"timing slide\" caused by hypervisor intervention in a Sandbox or Virtual Machine.Conditional Detonation: If the environment is identified as a VM, the malicious payload remains suppressed to prevent capture by automated security orchestration.", "This is a Weaponized Wrapper. Whether deployed by a malicious actor or a rogue enterprise entity, the technical reality is the same: the file uses Brand Reputations and Microsoft Root Strings to bypass the standard \"Gatekeeper\" functions of the OS.", "Pending Rec-Block Hash: afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034", "Rec: Process Monitoring: Audit all instances of RDTSC calls originating from unsigned binaries in the %USERPROFILE%\\Downloads or %TEMP% directories.", "", " Issuer Microsoft Code Verification Root Valid From 2006-05-23 17:01:29 Valid To 2016-05-23 17:11:29 Algorithm sha1RSA Thumbprint 58455389CF1D0CD6A08E3CE216F65ADFF7A86408 Serial Number 61 0C 12 06 00 00 00 00 00 1B", "2023-02-24 0 / 69 Win32 EXE SpyBot - Search & Destroy 1.6.0.30 Final.tmp" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 75, "FileHash-SHA256": 342, "IPv4": 45, "domain": 14, "hostname": 102, "email": 3, "URL": 51 }, "indicator_count": 731, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f7fa1a282840a6e0aa370c", "name": "May the 4th be with... every destructed file that never died", "description": "[undreds of thousands of people have been signing a petition calling for the removal of the president, Barack Obama, from the White House and the UK's prime minister, Theresa May, to be remove] The wording here. Its also May3rd not May 4th.", "modified": "2026-05-05T05:04:02.911000", "created": "2026-05-04T01:44:57.811000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 368, "FileHash-SHA256": 3142, "hostname": 1890, "IPv4": 162, "URL": 3241, "CIDR": 12, "email": 37, "domain": 1616, "URI": 1, "SSLCertFingerprint": 18 }, "indicator_count": 10828, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "Attackers nest these SHAs so that if a vendor blocks the \"Big One\" (the 38MB shell), the internal payloads can be re-packed into a new shell with a new top-level hash in minutes.", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "The Convergence: Threat actors are exploiting a critical logic gap where .NET/PDFKit document signing (Windows-side) intersects with WebKit/QuartzCore rendering (macOS/ARM-side). By nesting a broken MD5 overlay within a document designed to be parsed by WebKit, the attacker creates a cross-platform \"trust bridge.\"", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Pending Rec-Block Hash: afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034", "Research Suggests:", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO", "https://vtbehaviour.commondatastorage.googleapis.com/afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778048469&Signature=3y8LGGE52IUhhx7hMK9GsZthoRtiom8xy%2Fc5fyc0MJCsTSAblPs7nnE0YLV9E0mixvkxzBSCDGMpIt5vnQeTQ8t23sFEPJfm6SpG8DL4RXYGw7c6UALrxOofauzPiAuvBf%2Bnw5biEXDjWFuplGYRt83ZncF0nR5Bj4iwk2qDJ0xdgl86BUkgtNNd04hN16UsjAaL%2BojrFR4%2Fi%2F49ETbftnR2dvnXyVfPU0e0AF2TTg2hk8In2OMG", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh", "Architectural Deception: Built using VS2019 (v16.0.0) to mimic official development environments, yet contains a high-entropy (7.45) unmapped overlay at offset 151552.", "Security researchers should not whitelist based on metadata alone. This binary is a prime example of Brand Impersonation for destructive espionage.", "The PE creation date is 2013, but the first global submission was 2021. This indicates a \"dormant\" or \"re-packed\" binary where a legacy installer was modified to serve as a modern dropper.Staged Execution: The binary drops spybotsd162.exe and .tmp variants into %TEMP%. This creates a TTP Chain where the initial \"trusted\" process spawns secondary, unsigned payloads to establish persistence while the user believes they are running a routine security scan.", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "Rec: block for *.webcontent.com and binaries matching the B0/64c/d anchors or the 777 hex-cluster.", "Overlay chi2 40295.73 filetype unknown entropy 7.45587682723999 offset 151552 size 19928 md5 e4a9a363a8d765b06805811b1fdff040", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "The Wiper: Contains the high-confidence destructive module capable of a FACTORY_RESET anti-forensic purge.", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "Binary Profile: The 38MB \"Big One\" ShellCompilation: August 8, 2018 [Static Layer Foundation]Packing: UPX v0.89.6 - v1.24 (Markus & Laszlo)Signatures: SHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0Structural Forgery: The 38,351 KB footprint is intentionally bloated with an unmapped overlay to masquerade as a legitimate system utility. This specific variation exploits the RichHash 99b5586e... to bypass heuristic whitelists.", "Edge Node Impact: This \"sloppy\" intersection is what allows the payload to burn through edge security; the gateway sees a valid .NET structure and a valid WebKit process, failing to recognize the 777-anchor forgery that unites them.", "The 7 YARA detections identified in your analysis typically trigger on the 777-anchor hex-cluster found within the high-entropy overlay. This binary \"United\" the following trust boundaries:DigiCert (Windows): Forged overlay utilizing the broken MD5 a1d6...6e72", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "Technical Indicators & Forgery MixSHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0MD5: a95e0f8611e4169be89ef384c8a7a71aCompilation: 2018-08-08 (The \"Static Layer\" 2020 foundation).The 777 Anchor: The 777 entropy pattern in the unmapped overlay (Size: 38,351 KB) forces the \"messy\" alignment between DigiCert, Apple ARM (64c/d), and Google 202 identities.Structural Bypass: Exploits the broken/abused MD5 a1d6...6e72 chain as a \"Frank Abagnale\" signature overlay to bypass Zero-Trust EDR.", "The Russian Doll Tactic: The top-level 38MB SHA is just the Delivery Shell. Inside that, the malware carries encrypted blobs that have their own unique SHA-256 signatures. These are the actual Wiper, SpyNote, and C2 configuration modules.", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "The Spy Loop: Beacons to the squatted infrastructure (*.webcontent.com) and associated IP nodes (35.208.49.255, 18.208.88.157).", "The Structural Loop: The .NET framework often relies on legacy certificate validation libraries that still accept the MD5 a1d6...6e72 chain as \"legacy-valid.\" When this document is opened on an Apple Silicon device, the WebKit/ARM64 engine inherits the \"Trusted\" status from the document\u2019s container, allowing the 64c/d anchor to execute a memory-injection without a fresh signature check.", "Temporal Inconsistency & PersistenceThe 8-Year Gap.", "Do Not Run", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "The code measures CPU cycles to detect the \"timing slide\" caused by hypervisor intervention in a Sandbox or Virtual Machine.Conditional Detonation: If the environment is identified as a VM, the malicious payload remains suppressed to prevent capture by automated security orchestration.", "Rec: Process Monitoring: Audit all instances of RDTSC calls originating from unsigned binaries in the %USERPROFILE%\\Downloads or %TEMP% directories.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity.", "Execution Logic: Designed for Process Hollowing via the .reloc and .text sections, turning a \"trusted\" Google shell into a Wiper/SpyNote host. Hollow Roots.", "iTunesLibrary.arm64e.bridgesupport", "Expired Credential Hijacking:Primary Path: Clones DigiCert G4 chain (Serial: 0E44...5CE5) which expired July 10, 2024.Legacy Path: Clones DigiCert Assured ID chain (Serial: 06AE...F033) which expired November 16, 2022.", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", " Issuer Microsoft Code Verification Root Valid From 2006-05-23 17:01:29 Valid To 2016-05-23 17:11:29 Algorithm sha1RSA Thumbprint 58455389CF1D0CD6A08E3CE216F65ADFF7A86408 Serial Number 61 0C 12 06 00 00 00 00 00 1B", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "This is a Weaponized Wrapper. Whether deployed by a malicious actor or a rogue enterprise entity, the technical reality is the same: the file uses Brand Reputations and Microsoft Root Strings to bypass the standard \"Gatekeeper\" functions of the OS.", "Pending Review.", "This binary is a foundation-level threat designed to embed itself into the internet's cached trust model as \"static noise.\" It bridges the gap between the .NET/PDFKit and WebKit/QuartzCore environments through a triple-chain polyglot signature.", "2023-02-24 0 / 69 Win32 EXE SpyBot - Search & Destroy 1.6.0.30 Final.tmp", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "https://vtbehaviour.commondatastorage.googleapis.com/86a27baba6d32b5c6fba49e2e99864c7d0feada360b55cfc63adb4383e58be77_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778583610&Signature=f3mubmpIGOjgn7yQIqVaPC8J5mcemkwpt3Yl3noIO7eheDcS0pvTXfJfGi4WzCTHzTXgjtWE36sh%2BSHtRa%2FHFX1lvvQnPgqQpvY%2FDVlhYYVKl1nwyiZFuUZliHBmes0%2FGUhViWWRiyYHxDkn7Yj7fV7EMQqnCtlxO%2FMVJf5%2BsmjEkpk%2Frahm4sEcFERizEQtsZBKSnnp%2B1v6RFDphsiX0Ri0ZISYRqmGpmH%2FGvP2%2FQKrXXc9br" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Cypher", "Hybrid trojan spy and banker", "Spynote", "Spymax" ], "industries": [ "Education", "Government", "Legal", "Technology", "Telecommunications" ], "unique_indicators": 14855 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/mpsd.org", "whois": "http://whois.domaintools.com/mpsd.org", "domain": "mpsd.org", "hostname": "libraries.mpsd.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "6a030a7e7af998b0bc50d255", "name": "Inbox Termination Flood VirusTotal report for download.rar", "description": "[Malicious: Rar.rar (Rar!S8:z}b), a free archive that can be downloaded via 7Zip or 7zip, for use in the Windows operating system.] This email has vast capbilities, some of the best are email flooding, retrieval, destruction, extraction, tasks and more. This email on 6/3/25 led a client into a wormhole that they never actually got the delievery of it. Just the compliance locked email that destroyed their identity. It appears the temp folder that housed in malicious scripts was made months prior. I could not upload the Cape sandbox. Bundled 58, dropped 58, ensuring you will never get your life back.", "modified": "2026-05-12T11:49:25.043000", "created": "2026-05-12T11:09:50.783000", "tags": [ "file type", "crlf line", "ascii text", "unicode text", "utf8 text", "html document", "json", "python script", "mitre attack", "network info", "window", "next", "flood email", "drops prompts", "malicious", "illegal", "gov", "crosstenant", "prepared months before in temp folder" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/86a27baba6d32b5c6fba49e2e99864c7d0feada360b55cfc63adb4383e58be77_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778583610&Signature=f3mubmpIGOjgn7yQIqVaPC8J5mcemkwpt3Yl3noIO7eheDcS0pvTXfJfGi4WzCTHzTXgjtWE36sh%2BSHtRa%2FHFX1lvvQnPgqQpvY%2FDVlhYYVKl1nwyiZFuUZliHBmes0%2FGUhViWWRiyYHxDkn7Yj7fV7EMQqnCtlxO%2FMVJf5%2BsmjEkpk%2Frahm4sEcFERizEQtsZBKSnnp%2B1v6RFDphsiX0Ri0ZISYRqmGpmH%2FGvP2%2FQKrXXc9br" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 212, "IPv4": 77, "URL": 398, "domain": 503, "hostname": 347, "email": 4 }, "indicator_count": 1557, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01d3836a1a757aded89ba4", "name": "The 777 Quartz Loop: Structural Polyglot Forgery & Global Wiper Convergence", "description": "Malicious C2 is hidden in plain sight. Using webcontent.com (Reg. 1998), the factory mimics legitimate com.apple.WebKit.WebContent traffic. This is the permanent \"static\" that makes the Wiper indistinguishable from OS noise.C2 Anchors: ://webcontent.com, ://webcontent.comIP Nodes: 35.208.49.255, 18.208.88.157, 98.84.224.111, 3.33.251.168The \"Rose Quartz\" Structural MixA \"Frankensign\" universal bypass. It \"United\" three OS trust boundaries into a single loop:DigiCert (Windows): Forged overlay using the broken MD5 a1d6...6e72.Apple ARM (macOS): 64c/d or B0 thumbprints pivoting through WebKit/QuartzCore.Google (Drop): Execution via a Google 202 shell (GoogleUpdate.exe).The 777 AnchorThe 777 entropy pattern is the mathematical anchor forcing this messy alignment. It cannot be \"fixed\" by revocation because it is already cached in the internet's trust model.", "modified": "2026-05-12T08:41:44.805000", "created": "2026-05-11T13:02:59.167000", "tags": [ "status", "creation date", "date", "pulse indicator", "url analysis", "passive dns", "urls", "files", "whois registrar", "related tags", "server", "domain status", "whois lookup", "dnssec", "domain name", "abuse contact", "email", "registrar abuse", "github", "google", "webcontent", "issue", "discussion", "safari vs", "cyberkit", "webkit port", "apple community", "clearing", "graph summary", "The Russian Doll Tactic", "pdfkit[.]net", "mathematical stalemate", "CLAMAV", "MD5/nested cert chains within" ], "references": [ "Rec: block for *.webcontent.com and binaries matching the B0/64c/d anchors or the 777 hex-cluster.", "Pending Review.", "The 7 YARA detections identified in your analysis typically trigger on the 777-anchor hex-cluster found within the high-entropy overlay. This binary \"United\" the following trust boundaries:DigiCert (Windows): Forged overlay utilizing the broken MD5 a1d6...6e72", "Do Not Run", "The Structural Loop: The .NET framework often relies on legacy certificate validation libraries that still accept the MD5 a1d6...6e72 chain as \"legacy-valid.\" When this document is opened on an Apple Silicon device, the WebKit/ARM64 engine inherits the \"Trusted\" status from the document\u2019s container, allowing the 64c/d anchor to execute a memory-injection without a fresh signature check.", "Edge Node Impact: This \"sloppy\" intersection is what allows the payload to burn through edge security; the gateway sees a valid .NET structure and a valid WebKit process, failing to recognize the 777-anchor forgery that unites them.", "Binary Profile: The 38MB \"Big One\" ShellCompilation: August 8, 2018 [Static Layer Foundation]Packing: UPX v0.89.6 - v1.24 (Markus & Laszlo)Signatures: SHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0Structural Forgery: The 38,351 KB footprint is intentionally bloated with an unmapped overlay to masquerade as a legitimate system utility. This specific variation exploits the RichHash 99b5586e... to bypass heuristic whitelists.", "Research Suggests:", "The Convergence: Threat actors are exploiting a critical logic gap where .NET/PDFKit document signing (Windows-side) intersects with WebKit/QuartzCore rendering (macOS/ARM-side). By nesting a broken MD5 overlay within a document designed to be parsed by WebKit, the attacker creates a cross-platform \"trust bridge.\"", "This binary is a foundation-level threat designed to embed itself into the internet's cached trust model as \"static noise.\" It bridges the gap between the .NET/PDFKit and WebKit/QuartzCore environments through a triple-chain polyglot signature.", "Technical Indicators & Forgery MixSHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0MD5: a95e0f8611e4169be89ef384c8a7a71aCompilation: 2018-08-08 (The \"Static Layer\" 2020 foundation).The 777 Anchor: The 777 entropy pattern in the unmapped overlay (Size: 38,351 KB) forces the \"messy\" alignment between DigiCert, Apple ARM (64c/d), and Google 202 identities.Structural Bypass: Exploits the broken/abused MD5 a1d6...6e72 chain as a \"Frank Abagnale\" signature overlay to bypass Zero-Trust EDR.", "The Spy Loop: Beacons to the squatted infrastructure (*.webcontent.com) and associated IP nodes (35.208.49.255, 18.208.88.157).", "The Wiper: Contains the high-confidence destructive module capable of a FACTORY_RESET anti-forensic purge.", "The Russian Doll Tactic: The top-level 38MB SHA is just the Delivery Shell. Inside that, the malware carries encrypted blobs that have their own unique SHA-256 signatures. These are the actual Wiper, SpyNote, and C2 configuration modules.", "Attackers nest these SHAs so that if a vendor blocks the \"Big One\" (the 38MB shell), the internal payloads can be re-packed into a new shell with a new top-level hash in minutes." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 707, "URL": 1888, "email": 14, "hostname": 1443, "FileHash-SHA256": 1662, "IPv4": 198, "FileHash-MD5": 295, "FileHash-SHA1": 283, "Mutex": 1, "IPv6": 10, "CIDR": 1, "CVE": 2 }, "indicator_count": 6504, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc4463f3401c7dcb6cec20", "name": "MIT/m attack + Cloudflare/CDN Masking", "description": "Actor is utilizing uncertified \"shadow\" domains to execute Adversary-in-the-Middle (AiTM) attacks. By avoiding SSL/TLS certificates entirely, the infrastructure stays invisible to automated certificate monitoring tools.TECHNICAL ANALYSISZero-Cert Stealth: The absence of certificate data on email.mime.audio is a deliberate evasion tactic. It prevents the domain from appearing in public certificate databases, allowing the \"fb hacker\" proxy to operate in total darkness.Session Interception: Traffic is routed through the 104 IP space via HTTP. This allows the attacker to strip encryption and harvest session cookies and MFA tokens in plaintext before they ever reach the legitimate service provider.Library Mimicry: The mime.audio naming convention is designed to trick system admins into thinking the traffic is legitimate Python or email-handling library activity rather than an external exfiltration attempt.", "modified": "2026-05-12T06:43:45.967000", "created": "2026-05-07T07:50:59.816000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 514, "domain": 164, "hostname": 167, "IPv4": 17, "URL": 214, "URI": 1, "Mutex": 2 }, "indicator_count": 1091, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01b8f1d2994909edd6dcec", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:56.546000", "created": "2026-05-11T11:09:37.208000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 234, "FileHash-SHA1": 208, "FileHash-SHA256": 975, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7, "CVE": 10 }, "indicator_count": 2604, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01b8f37796bdd1adce15a4", "name": "*Spynotes Across The World Remain United* VirusTotal report for program.exe", "description": "Msudosos, Level Blue Platform- This binary is a high-entropy malicious wrapper that clones GoogleUpdate.exe metadata but fails critical Chain of Trust verification. Its architecture is designed to bypass signature-based EDR via memory-only execution.Technical Indicators:Signature Discontinuity: Claims a Google LLC identity but lacks a valid Authenticode signature. In Zero-Trust environments, this is a high-confidence Block Event.Steganographic Overlay: The 167KB footprint contains an unmapped overlay\u2014a classic container for encrypted second-stage payloads (e.g., Lumma/RedLine).Evasion Tactics: Utilizes Process Hollowing to execute in memory, remaining silent against traditional heuristic scanning.C2 Network Pivot: Observed beaconing to high-entropy or non-standard TLDs ([.top], [.xyz]). Immediate egress filtering is recommended for these domains.Please Credit Level Blue for their continued commitment to internet preservation and threat intelligence sharing.", "modified": "2026-05-12T06:39:53.636000", "created": "2026-05-11T11:09:39.214000", "tags": [ "sigma", "file type", "autorun keys", "spawns", "drops pe", "pe32", "intel", "ms windows", "contains medium", "suricata ids", "malicious", "persistence", "defense evasion", "next", "cname", "library", "strong", "accept", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "bootkit", "shutdown", "loads", "yara", "accesses", "toll free", "mitre attack", "network info", "spynote", "zenbox android", "verdict", "report", "fraud", "performs dns", "pe file", "creates", "rdtsc time", "hips", "t1055 process", "info", "evader mitre", "rules not", "discovery", "tracking", "memory pattern", "malware", "trojan", "info ids", "found sigma", "found", "capture", "google", "execution fille", "execution file", "choco", "ran sandbox", "files malicious", "copy", "none rticon", "cache", "payload", "virlock", "explorer", "impact", "write", "bits", "detail info", "tickcount", "offset", "behaviour", "processid", "threadid", "startaddress", "parameter", "imagepath", "cmdline", "window", "shell", "find", "t regdword", "stagedevice", "user", "v hidden", "v hidefileext", "enablelua", "regdword f", "registry keys", "contained", "executable", "submission", "english us", "vhash", "authentihash", "win32 exe", "generic", "default", "cultureneutral", "sha256", "back", "thumbprint md5", "serial number", "code signing", "algorithm", "from", "thumbprint", "issuer digicert", "name digicert", "trusted g4", "rticon english", "chi2", "utc entry", "point", "sections", "sections name", "virtual address", "virtual size", "korean", "brazilian", "rich pe", "magic pe32", "compiler" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494008&Signature=EsctXoE%2BSDmFioFC6z4LKAOPOpMu8jED51nlqwgSNq8VjjM3cv3CTEAVzxTOrXP4j9Xc%2FyJW2fu4VBkaXgCKS1yuOBn9ocDJ0M7M3qt8Px%2F4O3fylioHwGvrSZTGlV4cdJR7n%2BLo7HoFaRnyukdl9a0jNb95Uiccc1g%2Bf8BTxRjNO6G2B1XUSftIp1FX5YPVXKzoHhlsNSE1nrGFeFMNnFHr13UejrpV9YgZ13agUEx19JZRH5KTpfiTrEaZ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494157&Signature=ScEHT3Pn30ZnTiH3VNrkcD7NwY%2BSCjmqMdm62mSko6EvBCQ%2B9V8GfJVVIRAGJowf%2BWTfhB7ezaLx0hvokkb%2FzZYJGqDPXzz2TtFskUai1z6O0UNoFQrlq1hxhM9%2B%2FMZUkhhP0jncTWJIK87xcPnX6K3lsnFzf9muPyRUE%2BFusQdk%2B20ru72CFupxVtSw170eiQZAXyszRHfn%2Fz61ylbe8t4Y%2FFByeY%2Fk7%2Bc2pi", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494279&Signature=A7hHCeYL8R3WQ9fQ0bFezYcM1hhjq5C4zTUGq3SgWa9nQ12vSvN26H2yXkMFw0Zwk3N%2BKBpiccHFN4AfDuub000PwEWYGXuaV%2F%2BOdPPUX4Vf5kLHo4sYHE%2F9lzdBpJBcDeD7Y7M1ivyl9IOwJdieifIhAt4m3qtRH1lTsR2nxS6sQuW2h9mrkRftEvSyJy143AN9AoHfP9k6v1jj63Vb7A8xOTysQCN4fnesKND7HVRemcyguU63NG", "https://vtbehaviour.commondatastorage.googleapis.com/9ee8a10526cca84fc20d1bb493414c93ed860573b019408515fd56a82548cd52_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494305&Signature=jQBpL%2FC0NGKot4KMMzvyuQrjmXJBhCLHsSL%2FG36uLdVTbTlBRLifLfZNNiSHRzNWn%2FectphUJKzX0CeCJvfz0RI8rAF8%2FgLPpcUBYkm6TPTAf58kaa79bDpL9QBaw5C3G9DxRN2v%2FkPepRvnGY1eizqPtjzo8siDLM4IKks6Wp6CoiRDUOIyt5BS8%2B6KXpTh2iOM81kHJYqq4PNSWBlrxE%2BanDlqSeltfBlvcvVLlEyRXJ", "https://vtbehaviour.commondatastorage.googleapis.com/d575fc59210d92dcbb981ecfb0cba9c9f1ccabb08b084d3efe3cf3f0cdc3012e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494357&Signature=A%2Bd6M9ktY81zuNetXhb7B%2FUVxXkF%2F6I6mFSR6fz0wXIbtq54OOus5yfbHy%2Bab7W2WH2IJch7rmVFHjXxNloEIhANs1NYGyc3Qfb0RU50UTTDwVmv4ARNMPOSJ1Y6Gq88DEhxdwrHUmiwF6EhwNy1JQLgR209smKxuXD4TrDXF%2B4PJiKvXHz6uJU77B6tjn%2BuPl7kQE%2Ffw560TqHtioIcbkV9cONlvmywtfgAF68XVF5qGLvhx32lRnZt", "https://vtbehaviour.commondatastorage.googleapis.com/00000af1449a9039adf232071827b825d35afa436426f92c8be4b4db159c7f37_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778494544&Signature=DdyTGijepllUxh6IwRNIn0Cf9FjDwhcMxsOryCnWdRM9wikvIeuUqzWWCKsRd266rZY9RK8yBdRerxYq71fO2r4pep%2FUsOYqbk7674ru82ghnqyOFZ%2BBkE%2BVy1XfkOKOBk8%2BZjNy8htwBqZOgeMFBTpL%2Fvcb1tfNNe0awk%2FEGhnQaBX5A6VQMxuWY6juLZyjQ6LYYn2i1aPR206kLiOeOg8zF9t9qnG2bdx3CJAAeJ%2FI7zuZ", "https://vtbehaviour.commondatastorage.googleapis.com/fea940c851543814f446311960955060b18ed7861c1467e0629e80be0334df08_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778495418&Signature=z5JhwW9GQXeKzCdbh3NKziaGP1x2Zr%2FahQbRsscRKYlWDj3U7%2B0jj5HvoJQc60yA2PjKjuqBpSR2uVBnS%2BynIMLcjlr7si89dbSTcH65KyGrAA525Ng1VrlHpamhaYzX0sGRhkLbVD5R4%2BL2H3nURAFjzi5PuNVH7LNUx66P2BIKwF5LZ5%2BfymsSx4bRL2Em7bjhGZU8sOFZbJvYxw7p2zeLqpbBXhb1qj0dJF6BpRYPO0I93zrB", "iTunesLibrary.arm64e.bridgesupport", "https://vtbehaviour.commondatastorage.googleapis.com/000821098cb6421f8f94c82f4f8335fd0acaa1b7e78310f809ca86ab87458254_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778496708&Signature=Mfeq4pHFT7D%2BjYPJ67LLTlBP%2FenKI7uq11mZFOlHxtRSV7Qbvy803JoupDfUyXx708zlUc9UN8cbk3DQyok8lTsDhXR%2FAKdjGoKFnqlzlijIc7tsIT9U4CThjCOS21CssB7G7egTHTwyGRT5%2FhYw5YBFyDztrbXg715hcunGJ0Y3Hax1njVK5mrOy%2Bw44n9uvtEQHHNg2E0AZFc3WupSrd6Kdair6hLXk22u6MbYCUGv0xvQ9Uo2", "Refer to related pulses grammarsoft, tbb chained, belasco chained broken docusign seal.", "It is important to prioritize cryptographic validation. Deletion and expiration will not work. Many want to aid in this if needed.", "PREFACE: [A report generated by the University of Oxford on the 11th of May, 2026, has identified a malicious version of the Windows operating system, which has been running for almost 20 years and is capable of being run in DOS mode.]", "Strategic ResponseImmediate Containment: Terminate any process tree originating from this hash.Forensic Artifact: Check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for anomalies.", "There is an array of additional interconnected software related to not only this, but a web of certificate chains I and many others have been mapping to support this with good intent for internet integrity.", "Overlay chi2 40295.73 filetype unknown entropy 7.45587682723999 offset 151552 size 19928 md5 e4a9a363a8d765b06805811b1fdff040", "Expired Credential Hijacking:Primary Path: Clones DigiCert G4 chain (Serial: 0E44...5CE5) which expired July 10, 2024.Legacy Path: Clones DigiCert Assured ID chain (Serial: 06AE...F033) which expired November 16, 2022.", "Execution Logic: Designed for Process Hollowing via the .reloc and .text sections, turning a \"trusted\" Google shell into a Wiper/SpyNote host. Hollow Roots.", "Architectural Deception: Built using VS2019 (v16.0.0) to mimic official development environments, yet contains a high-entropy (7.45) unmapped overlay at offset 151552.", "Security researchers should not whitelist based on metadata alone. This binary is a prime example of Brand Impersonation for destructive espionage." ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Iran, Islamic Republic of", "United Kingdom of Great Britain and Northern Ireland", "Korea, Democratic People's Republic of", "Brazil", "Canada", "United States of America" ], "malware_families": [ { "id": "Hybrid Trojan Spy and Banker", "display_name": "Hybrid Trojan Spy and Banker", "target": null }, { "id": "SpyNote", "display_name": "SpyNote", "target": null }, { "id": "SpyMax", "display_name": "SpyMax", "target": null }, { "id": "Cypher", "display_name": "Cypher", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [ "Legal", "Government", "Education", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "IPv4": 103, "FileHash-MD5": 243, "FileHash-SHA1": 213, "FileHash-SHA256": 983, "URL": 578, "hostname": 348, "CIDR": 1, "email": 7 }, "indicator_count": 2616, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fed9859e3d403a869a56d9", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-09T07:20:23.936000", "created": "2026-05-09T06:51:49.607000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 522, "IPv4": 409, "hostname": 645, "domain": 178, "URL": 786, "FileHash-SHA1": 288, "FileHash-SHA256": 392, "CVE": 1 }, "indicator_count": 3221, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f97a905451e3304319988b", "name": ".may 4 clone own on may 5", "description": "", "modified": "2026-05-07T02:57:38.229000", "created": "2026-05-05T05:05:20.493000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "69f7fa1a282840a6e0aa370c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 368, "FileHash-SHA256": 3143, "hostname": 2037, "IPv4": 186, "URL": 3288, "CIDR": 12, "email": 43, "domain": 1645, "URI": 1, "SSLCertFingerprint": 18, "CVE": 1 }, "indicator_count": 11083, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fb3d6585753bfdc08890a4", "name": "vxCube \u2014 Report + other sandboxes- Firmware Nuetral", "description": "[sample of malicious software from the Firefox operating system has been analysed by Microsoft's security team, the Office of the President, and the Microsoft Research Research Centre (MSR) in the US.]", "modified": "2026-05-06T13:54:34.222000", "created": "2026-05-06T13:08:53.749000", "tags": [ "port", "protocol level", "application", "next connection", "previous", "address", "full path", "behavior", "programfiles", "system32", "dump", "malicious", "path", "nethandle", "net108", "net1080000", "mcics", "orgid", "mcics address", "loudoun county", "pkwy city", "postalcode", "orgtechhandle", "services", "city", "stateprov", "rabuseref", "rabusehandle", "brockdorff", "c source", "utf8 unicode", "c program", "crlf", "lf line", "united", "https", "mitre attack", "network info", "processes extra", "tls version", "overview", "overview os", "x sandbox", "verdict", "next", "parent pid", "command line", "default", "nothing", "registry keys", "openasrundll c", "shell folders", "file execution", "k netsvcs", "ascii text", "categories", "settings", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "inprocserver32", "file type", "accept", "shutdown", "stream", "template", "cname", "value a", "first counter", "bearer", "mbisslshort", "bridge", "info", "date", "agent", "root", "mutexes nothing", "files c", "read files", "read registry", "keys nothing", "ipmgmt", "orgtechref", "orgabusehandle", "orgabuseref", "win1", "acrongl integ", "adc4240758", "heuristic match", "pattern match", "x2dax2da", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "angsana new", "back", "style", "cohasset police", "department", "doctype html", "head", "link", "cohasset", "title", "noscript", "meta", "performs dns", "urls", "downloads", "found", "http", "phishing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 204, "IPv4": 246, "URL": 662, "hostname": 421, "FileHash-SHA256": 532, "domain": 137, "FileHash-MD5": 473, "CIDR": 4, "email": 7, "CVE": 1 }, "indicator_count": 2687, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fb3d632800402652054b73", "name": "vxCube \u2014 Report + other sandboxes- Firmware Nuetral", "description": "[sample of malicious software from the Firefox operating system has been analysed by Microsoft's security team, the Office of the President, and the Microsoft Research Research Centre (MSR) in the US.]", "modified": "2026-05-06T13:08:51.417000", "created": "2026-05-06T13:08:51.417000", "tags": [ "port", "protocol level", "application", "next connection", "previous", "address", "full path", "behavior", "programfiles", "system32", "dump", "malicious", "path", "nethandle", "net108", "net1080000", "mcics", "orgid", "mcics address", "loudoun county", "pkwy city", "postalcode", "orgtechhandle", "services", "city", "stateprov", "rabuseref", "rabusehandle", "brockdorff", "c source", "utf8 unicode", "c program", "crlf", "lf line", "united", "https", "mitre attack", "network info", "processes extra", "tls version", "overview", "overview os", "x sandbox", "verdict", "next", "parent pid", "command line", "default", "nothing", "registry keys", "openasrundll c", "shell folders", "file execution", "k netsvcs", "ascii text", "categories", "settings", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "inprocserver32", "file type", "accept", "shutdown", "stream", "template", "cname", "value a", "first counter", "bearer", "mbisslshort", "bridge", "info", "date", "agent", "root", "mutexes nothing", "files c", "read files", "read registry", "keys nothing", "ipmgmt", "orgtechref", "orgabusehandle", "orgabuseref", "win1", "acrongl integ", "adc4240758", "heuristic match", "pattern match", "x2dax2da", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "angsana new", "back", "style", "cohasset police", "department", "doctype html", "head", "link", "cohasset", "title", "noscript", "meta", "performs dns", "urls", "downloads", "found", "http", "phishing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 204, "IPv4": 246, "URL": 661, "hostname": 421, "FileHash-SHA256": 532, "domain": 137, "FileHash-MD5": 473, "CIDR": 4, "email": 7 }, "indicator_count": 2685, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fb3d628de55fd4fef0e2bc", "name": "vxCube \u2014 Report + other sandboxes- Firmware Nuetral", "description": "[sample of malicious software from the Firefox operating system has been analysed by Microsoft's security team, the Office of the President, and the Microsoft Research Research Centre (MSR) in the US.]", "modified": "2026-05-06T13:08:50.546000", "created": "2026-05-06T13:08:50.546000", "tags": [ "port", "protocol level", "application", "next connection", "previous", "address", "full path", "behavior", "programfiles", "system32", "dump", "malicious", "path", "nethandle", "net108", "net1080000", "mcics", "orgid", "mcics address", "loudoun county", "pkwy city", "postalcode", "orgtechhandle", "services", "city", "stateprov", "rabuseref", "rabusehandle", "brockdorff", "c source", "utf8 unicode", "c program", "crlf", "lf line", "united", "https", "mitre attack", "network info", "processes extra", "tls version", "overview", "overview os", "x sandbox", "verdict", "next", "parent pid", "command line", "default", "nothing", "registry keys", "openasrundll c", "shell folders", "file execution", "k netsvcs", "ascii text", "categories", "settings", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "inprocserver32", "file type", "accept", "shutdown", "stream", "template", "cname", "value a", "first counter", "bearer", "mbisslshort", "bridge", "info", "date", "agent", "root", "mutexes nothing", "files c", "read files", "read registry", "keys nothing", "ipmgmt", "orgtechref", "orgabusehandle", "orgabuseref", "win1", "acrongl integ", "adc4240758", "heuristic match", "pattern match", "x2dax2da", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "angsana new", "back", "style", "cohasset police", "department", "doctype html", "head", "link", "cohasset", "title", "noscript", "meta", "performs dns", "urls", "downloads", "found", "http", "phishing" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3a84ea97f8bfafb4a3ad6afa252315fa2c3529a732cad9070f045696dea0095e_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070092&Signature=yQBUKJDn%2FE85%2Bvl5P67ywdjBoRJ9GZj%2F%2BePT2hJjEffamM3aO%2BQVSWq3TEsVfnNMCrMPcAsJaRu64RPZJxztS%2BgQtOpCjQFUv%2FtAUou8ougQPOunxMuuX1m3PjxBDqourRIeENFZO77MUSjWuVCFEtG882utsoMv2%2FovTPqG8LU0NxjlfwMovVpkkg94Dl1tZ6O0VYlnipdZBtM6Web8IAlNUAyR4CvJrv%2BM1IR67fi", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070807&Signature=3Dm7s%2FWRPcwn5VP1fZqDViARRLpzpU7PhwwfHx%2BqMe02mkhGSmislwkS8ckH3N1K1YNVxQfqnYu89FHUKpUwC%2BOyk62pASZINgeaGaCbiysNZvDGs%2F2bN6sqg3bmKDPeVDLF34BlRrnunSY9pW0x1yITnVIRn%2FuSz9QZWFDonZBEPgt35JYofh7f9yIlA748rsPLmeMPA3RByc2n0aof5W3ghVdeTr90wlQAPidcpmEWNRXCEYPH", "https://vtbehaviour.commondatastorage.googleapis.com/076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778070947&Signature=Pkvb9Ml3f67kATtPQnKDPoRC9hQFahD3ukXAX89sLQoBuLuyPnKpZAOIOnSPYjdPv4WWamTA32WSWfVjVswMo%2FxhdtvqyQ3BysNGqKOT35gQ1YGZkZE2%2Bx6lA0XHfdv7ZLkCTVyTUd5O2WzXo1zqFBiyh3PORdPcyikZvKrywiURORR5HeHZ1KRu5Mc%2Fy5u%2FVhA4hHTzRLJiNgzC0LCacu5aimzZ%2F5uWpy6xypNiXN5HwM4hrXNW", "https://vtbehaviour.commondatastorage.googleapis.com/da7e7a13944b0bf0f34215c4dd57810f470a43940141f9799841bce91c42b40e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071428&Signature=jg4VsRqc9AHseQKbSiN9X3N19v33%2B77cUjnoREoq3%2FAmob%2FK3l8KEZhhL1wGCFaOtjmj50aTom8QTJxDGPm9rawrO8J1V%2B8zF%2FRlfppMMiuQBSmfbpNhkJREFuRAjCvwHAxsrsixKwbxYtOMD%2FU5QrBSrkg%2B8xV3PpeZdM0J5dM8Ay%2Be1ZBCPy36ntYzbevszIsncCdUaH0Xy9WnsHV7Ps09g%2F1Z7z9rGZWdCZrPqZi3", "https://vtbehaviour.commondatastorage.googleapis.com/d3913c5d8f77fff5191b43bd32dbd8178958891bd1d90efe7a7d969ef4ab602d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778071932&Signature=j2umSLl4iyhp%2FxLzsH2vZYAyU%2Fx8ki4zCfuDcXx4UgkjsO5DPIByYk043fTjoRkyd542Vqqz%2F22PYnjwhhjRJ7lXaJCPCcmtSfsWP1zGllMKIgDV57e%2FmtN%2FAzQ%2BNlqIVxXmL9peGu%2B75w6x0YaGUTBYw17iOlL87DRfZhl8Li6xlA7cX4eSHodT%2BO2B7k3D6bzQend61z62Mq76xqXV5zkXIyZCOU9a4KnKZ53nXkwnqm", "https://vtbehaviour.commondatastorage.googleapis.com/3d1c4ea329813f1aec4d7de630dc13acb95bd7b767338efe5b533fca04ff48d8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072001&Signature=gIJuOyCvRHsKP79iVyX27BLkKoVj4d7bKoB84FCSGxlJ9zsLuc7J3OmaluxaiqoJu4T2o7aeANdkYMz6d8wD3%2BFD0dQQU5%2FOhhMAbYBXp73p39CyDndq1e9LD3eNxfnr0uIrt3RccUEfgo2LF8ktZh%2BPm82SICNgJeTwVv3L2YifDZTr0lPeII2WWqpPYd4Y7qWgyUEjXmipc0SPAWZhVHXPY0DJmHbFkv%2F%2FeObiESxFAH%2BCZn", "https://vtbehaviour.commondatastorage.googleapis.com/1e5907b4cc44209637af8273555449b066fe9ce01179cd74c792e4a355a7aa4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072217&Signature=gM91SnakBbk714%2BMza0mWtlxTRy66cB0QyotuErcCDzM8yQYmu6%2Bcy7Z1y970ywZpR05P6F4GhC8w%2Fhcd9kx0fAodkFhb3wHR6C%2F2yqPY1UMuIAOAjc6gmmrRk7%2F4M7m4MVTtnOGppQBfs9YQbqQ0ngyL5CES9vxGqIcyOOgLBRwVYQJ9PRdr5QHxDsJ8oQnGTKtuy4SKZnWfNJC7dAJhebDBsgHJRkYO9oUnFoY5uBh%2FFcveZ", "https://hybrid-analysis.com/sample/96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7", "https://hybrid-analysis.com/file-collection/674d072894a867c6c2076c5d", "https://hybrid-analysis.com/file-collection/655e17cc95592e2d640f556e", "https://vtbehaviour.commondatastorage.googleapis.com/e1280a3b44c48db6234162ad01131ca61f7e8733d78e2e192a53c34a460c6614_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072860&Signature=7lMnvE%2BOZ3HyFUJ9u4mf%2BszccaSI9tFlLU%2FfFNImL7UJfki9ecs6q%2B1ctALN1bsjGkAAmR9EemyHqlljLWn0e%2BoroBznqlwJhGInZW%2FonsioPQgc1Py97%2BpBefHrTJQoW%2FKPNt%2FOfifRY5PeC%2BIrYsr3NTQFk0GbjkyYzcYUA1VVNk6Tl7INGc5cfzN0o8cHk0Vu6pfai%2FBIw7tHSKEtOwq%2BiUFz6sY9KjZ%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072961&Signature=Q1ToAg2fEJbCycZPLTn9XcCcTr7hbVsPvcEd3FyzA%2Fy30S%2F3Fjcr97ZWpo7uFwPWCJ%2B%2FXnWhv108WKa4cKTtueHRihldYXzmlbuKcEHzLgws%2FhCjFy3I8vkwV5Kism8%2FmeFsjp4y9wjLnXq51zsKHczGeUoYWTb7iko%2FVsiD6A%2B5n3ypJ5NcOp6xfCO0P7ty6%2FSLA5htYnTAkWzzC%2FI%2B0hD5Bp2BpWg1BIB7xyVB", "https://vtbehaviour.commondatastorage.googleapis.com/1e50a19bf657ed59e87edf7163629a66006d6c04159f839d0333fea0f208bac2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778072988&Signature=1hSTk5zfAHok3rOeIvCrcVDNrMwVfu7yBxcOq5aYmB3x%2BN3QpW%2BDwvNCBsO4Jf8zXhfzvs%2BYQ8xMFx4Fh%2Bpq1Fijdl5Yewxpj61VU5lf2R3Tb9n3hOu6QgbLTSllehitudG4Z8qG33j6gu0t2wdMCNtMu46i%2B9Onj8DH5ZU5PgueMIAXDPYPD6u5GS4OjmmjihyNDlkuv2HdmzrGlVMWKpTOa7tUNtpbJkhQ8IivcOfOe3nNtEx94wExAEVO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 204, "IPv4": 246, "URL": 661, "hostname": 421, "FileHash-SHA256": 532, "domain": 137, "FileHash-MD5": 473, "CIDR": 4, "email": 7 }, "indicator_count": 2685, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://libraries.mpsd.org", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://libraries.mpsd.org", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780223536.1582592 }