{ "type": "URL", "indicator": "https://msoid.bestdirection.net", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://msoid.bestdirection.net", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3870694882, "indicator": "https://msoid.bestdirection.net", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6a101b839df4493da69621a2", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-25T21:25:42.679000", "created": "2026-05-22T09:01:55.489000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1647, "IPv4": 146, "URL": 826, "hostname": 769, "domain": 396, "email": 7, "IPv6": 2, "Mutex": 1 }, "indicator_count": 3951, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a101b73325050835339892c", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:18.535000", "created": "2026-05-22T09:01:39.942000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 198, "FileHash-SHA1": 163, "FileHash-SHA256": 1939, "IPv4": 172, "URL": 826, "hostname": 770, "domain": 397, "email": 7, "IPv6": 1 }, "indicator_count": 4473, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a101b796e100c09c491429e", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:16.979000", "created": "2026-05-22T09:01:45.017000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1621, "IPv4": 146, "URL": 822, "hostname": 764, "domain": 396, "email": 7, "IPv6": 1 }, "indicator_count": 3914, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a101b83a6873110c5e69e29", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:15.876000", "created": "2026-05-22T09:01:55.189000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1621, "IPv4": 145, "URL": 821, "hostname": 764, "domain": 396, "email": 7, "IPv6": 1 }, "indicator_count": 3912, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a101b874f712c713c7de979", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:06.959000", "created": "2026-05-22T09:01:59.502000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1621, "IPv4": 145, "URL": 821, "hostname": 764, "domain": 397, "email": 7, "IPv6": 1 }, "indicator_count": 3913, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f351ce26a103377d8eb5fa", "name": "Sex Tokens | Injection \u00bb Porn dumping - Cyber Folks .PL | Spectrum", "description": "Porn dumping into targeted devices after great effort. \nHall Render has always been a Malware Hosting website.\nDrive by compromise, \nPorn Storm compilation.\n\nhttps://api.dotz.com.br/accounts/api/default/externallogin/login", "modified": "2024-10-24T22:01:13.406000", "created": "2024-09-24T23:57:02.111000", "tags": [ "url https", "search", "type indicator", "role title", "added active", "related pulses", "url http", "porn type", "showing", "entries", "tsara type", "pulses url", "adware backdoor", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "wild fantasy", "world", "download", "xxx video", "xxx sex", "desi", "tamil", "videos xxx", "hd posts", "photos pics", "https", "indicator role", "title added", "active related", "unknown", "united", "for privacy", "nxdomain", "meta", "internet gmbh", "creation date", "date", "audio", "clear hindi", "bhabi sex", "bedroom indian", "fakaid", "ww3008", "fingering her", "young boy", "sexy", "next", "witch", "filehashmd5", "ipv4", "months ago", "information", "scan endpoints", "all scoreblue", "report spam", "created", "modified", "zbot", "keyword", "latina", "teen sex", "jeffrey reimer", "reimer dpt", "jeff reimer sex", "reimer type", "hostname", "domain", "copyright", "remote", "t1003", "os credential", "dumping", "t1012", "t1036", "t1071", "protocol", "t1082", "as8075", "aaaa", "as30148 sucuri", "certificate", "record value", "body", "status", "passive dns", "urls", "hallrender", "brian sabey", "sabey xxx", "drive by compromise", "cobalt strike", "overview ip", "address", "related nids", "files location", "china flag", "china domain", "files related", "pulses none", "files domain", "analyzer paste", "iocs", "hostnames", "urls https", "china unknown", "as4837 china", "redacted for", "a domains", "cname", "jeffrey reimer pt", "sucuri website", "span td", "time", "firewall", "win64", "back", "xtra", "name servers", "files", "tls web", "log id", "gmtn", "false", "ocsp", "ca issuers", "phucket news", "hacking", "registrar abuse", "gateway protocol abuse", "swipper relationship" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1599, "hostname": 2988, "URL": 8561, "FileHash-SHA256": 1207, "email": 41, "FileHash-MD5": 126, "FileHash-SHA1": 36, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 14561, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 18841 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/bestdirection.net", "whois": "http://whois.domaintools.com/bestdirection.net", "domain": "bestdirection.net", "hostname": "msoid.bestdirection.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6a101b839df4493da69621a2", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-25T21:25:42.679000", "created": "2026-05-22T09:01:55.489000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1647, "IPv4": 146, "URL": 826, "hostname": 769, "domain": 396, "email": 7, "IPv6": 2, "Mutex": 1 }, "indicator_count": 3951, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a101b73325050835339892c", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:18.535000", "created": "2026-05-22T09:01:39.942000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 198, "FileHash-SHA1": 163, "FileHash-SHA256": 1939, "IPv4": 172, "URL": 826, "hostname": 770, "domain": 397, "email": 7, "IPv6": 1 }, "indicator_count": 4473, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a101b796e100c09c491429e", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:16.979000", "created": "2026-05-22T09:01:45.017000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1621, "IPv4": 146, "URL": 822, "hostname": 764, "domain": 396, "email": 7, "IPv6": 1 }, "indicator_count": 3914, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a101b83a6873110c5e69e29", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:15.876000", "created": "2026-05-22T09:01:55.189000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1621, "IPv4": 145, "URL": 821, "hostname": 764, "domain": 396, "email": 7, "IPv6": 1 }, "indicator_count": 3912, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a101b874f712c713c7de979", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:06.959000", "created": "2026-05-22T09:01:59.502000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1621, "IPv4": 145, "URL": 821, "hostname": 764, "domain": 397, "email": 7, "IPv6": 1 }, "indicator_count": 3913, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f351ce26a103377d8eb5fa", "name": "Sex Tokens | Injection \u00bb Porn dumping - Cyber Folks .PL | Spectrum", "description": "Porn dumping into targeted devices after great effort. \nHall Render has always been a Malware Hosting website.\nDrive by compromise, \nPorn Storm compilation.\n\nhttps://api.dotz.com.br/accounts/api/default/externallogin/login", "modified": "2024-10-24T22:01:13.406000", "created": "2024-09-24T23:57:02.111000", "tags": [ "url https", "search", "type indicator", "role title", "added active", "related pulses", "url http", "porn type", "showing", "entries", "tsara type", "pulses url", "adware backdoor", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "wild fantasy", "world", "download", "xxx video", "xxx sex", "desi", "tamil", "videos xxx", "hd posts", "photos pics", "https", "indicator role", "title added", "active related", "unknown", "united", "for privacy", "nxdomain", "meta", "internet gmbh", "creation date", "date", "audio", "clear hindi", "bhabi sex", "bedroom indian", "fakaid", "ww3008", "fingering her", "young boy", "sexy", "next", "witch", "filehashmd5", "ipv4", "months ago", "information", "scan endpoints", "all scoreblue", "report spam", "created", "modified", "zbot", "keyword", "latina", "teen sex", "jeffrey reimer", "reimer dpt", "jeff reimer sex", "reimer type", "hostname", "domain", "copyright", "remote", "t1003", "os credential", "dumping", "t1012", "t1036", "t1071", "protocol", "t1082", "as8075", "aaaa", "as30148 sucuri", "certificate", "record value", "body", "status", "passive dns", "urls", "hallrender", "brian sabey", "sabey xxx", "drive by compromise", "cobalt strike", "overview ip", "address", "related nids", "files location", "china flag", "china domain", "files related", "pulses none", "files domain", "analyzer paste", "iocs", "hostnames", "urls https", "china unknown", "as4837 china", "redacted for", "a domains", "cname", "jeffrey reimer pt", "sucuri website", "span td", "time", "firewall", "win64", "back", "xtra", "name servers", "files", "tls web", "log id", "gmtn", "false", "ocsp", "ca issuers", "phucket news", "hacking", "registrar abuse", "gateway protocol abuse", "swipper relationship" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1599, "hostname": 2988, "URL": 8561, "FileHash-SHA256": 1207, "email": 41, "FileHash-MD5": 126, "FileHash-SHA1": 36, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 14561, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://msoid.bestdirection.net", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://msoid.bestdirection.net", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780294233.5296361 }