{ "type": "URL", "indicator": "https://www.mozilla.com.cn/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.mozilla.com.cn/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4325911349, "indicator": "https://www.mozilla.com.cn/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "6a101b839df4493da69621a2", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-25T21:25:42.679000", "created": "2026-05-22T09:01:55.489000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1647, "IPv4": 146, "URL": 826, "hostname": 769, "domain": 396, "email": 7, "IPv6": 2, "Mutex": 1 }, "indicator_count": 3951, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a101b73325050835339892c", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:18.535000", "created": "2026-05-22T09:01:39.942000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 198, "FileHash-SHA1": 163, "FileHash-SHA256": 1939, "IPv4": 172, "URL": 826, "hostname": 770, "domain": 397, "email": 7, "IPv6": 1 }, "indicator_count": 4473, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a101b796e100c09c491429e", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:16.979000", "created": "2026-05-22T09:01:45.017000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1621, "IPv4": 146, "URL": 822, "hostname": 764, "domain": 396, "email": 7, "IPv6": 1 }, "indicator_count": 3914, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a101b83a6873110c5e69e29", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:15.876000", "created": "2026-05-22T09:01:55.189000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1621, "IPv4": 145, "URL": 821, "hostname": 764, "domain": 396, "email": 7, "IPv6": 1 }, "indicator_count": 3912, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a101b874f712c713c7de979", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:06.959000", "created": "2026-05-22T09:01:59.502000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1621, "IPv4": 145, "URL": 821, "hostname": 764, "domain": 397, "email": 7, "IPv6": 1 }, "indicator_count": 3913, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a11810e7bc0d9d7652b4fcb", "name": "* ghostware * CAPE Sandbox", "description": "[Results of an analysis of a KVM operating system, conducted by the MIT Research Institute (MIT), are published on the web. \u00c2\u00a32.5m.com (\u20ac3.4m; $4.6m).] pretext. a deeper follow up on impression domain from the last post shared. this is some of the evasive 2019-2020 attached malware in a sandbox. this is not easy to track or flag. Lb, cape, zenbox, vt are exceptional at this. Interesting string: preload js notes, \"fired\". this sha indicator won't run a sandbox despite all the flags: [a57ac7b63c282739aa...] though it now appears revoked - attached the certs in any event. (1 exp2 valid) exp:cosmina beteringhe\nStatus\nCertificate out of its validity period\nIssuer\nApple Inc.\nValid From\n02:08 PM 04/02/2019\nValid To\n02:08 PM 04/02/2024\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\nB60CA526B0B84F7FF9B9CACC70702C5C10985B2C\nSerial Number\n6D E1 8E C8 70 AC A3 3E team identity:HYC4353YBE", "modified": "2026-05-23T10:44:37.782000", "created": "2026-05-23T10:27:26.040000", "tags": [ "token", "instance id", "date", "request", "version", "start", "callback", "indicate", "send instance", "id token", "default", "cname", "accept", "shell folders", "folders", "gmt ifnonematch", "cape sandbox", "bootkit", "t1055", "t1542", "shutdown", "defense evasion", "filename", "userclass", "source", "adprovider", "pair", "count", "null", "newtab", "result", "chrome web", "file type", "file size", "sha1", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "adknowledge", "guard", "loads", "back", "typeof", "catch", "impression", "none", "xmlhttprequest", "signaturehz", "mitre attack", "network info", "sigma", "program", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "has permission", "t1430 location", "zenbox android", "persistence", "issuer apple", "valid from", "valid", "serial number", "ac a3", "apple inc", "status valid", "thumbprint", "mac os", "x executable", "info file", "info", "a9 a8" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530336&Signature=p6VwVgKhapyzo9Qdy2STgvqVBCILyIVDELmCCzKAI3VnzeLfXf8kMElRnqtXzyceHxnFobEu5%2Bzot74n2%2FKVdQLGgjSNmpbV1vxI4qIMW44TnqKJz7q%2Bzl9L2qPXk2Xd24irnPUYT4Z6b52nITm3rElixM%2FxW5B7cYrEPVdMEQQ3axn7fZMtVXkHyakt5UbZUnglSc97W7kjMO7OSb6qTfAhWNZuFLn0hPzN3JeCVc6eH2VaF8qrMW", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530360&Signature=IoNgUEkiuiM2X4a2ueL9rEQPSxM3pwV%2Fg9ppA8C%2BBjHNorpe2t8rUBwA%2BU0UhSwLHm3J9bx4il%2Buly8trboaDKTDgdTvpIFdsHRjkQYF%2F8P2ot8tg5AnQeLV9Q8ddUazck3uN2LTNyDFCh5HiWfU%2FJ4BytbiANmLC8gGyCjX%2FX5Y%2FkYYJwEtsw0W90i9lyhlbNX%2FbAor8c1%2FRyPwUh8klvuYGDxvlbeal0nSXVYLSy", "https://vtbehaviour.commondatastorage.googleapis.com/59bd2b3f9e4fbc79518a31738080bc4b9b35b42f6e5a3b5c3a306e0b9aae7f2c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530394&Signature=EFtQdaqkkeNu27kPO7Zob0bl261oVyzlQmNL5Z9HnrD%2FemHBUX4%2BsRO8wGhrK9e53idu5dP%2FqFvjC3fYYvXzyeKs6x0kO0IqPs5Pp6y422zCXP9gKR7xBfnQIQtmWDVaBb4znOzF35Jd76v4D1Y4btKPazPqsa2hq38U%2F2BTS2Fjqng%2BtZLtgjXCV7Qy1iJuoL4wZxus6aU6uyk4Gt4%2FwQOFSxhXM9Sg6EzneRhhFzAhHkOWzW", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530419&Signature=UGGjvrHysNTHqCP%2F98o%2Bwr%2BBuUURMkCiQxj24hY6gaY6O3Jzu8n5c1DTGQyxmFDLTNd%2BVEq%2BLjiAQEKKja33wGAeycq9H84UiQaOgy5xch0rQRhWlH9BAU1XQopkUIfjd%2F%2FjszJyY9f5GeBUviWGN0fk%2Fjf%2Bu70ZC8sViEooYie0vbqyBBZF4n4kjfdDoEDUXKU9hjk4W9PIBcH1Y8tyFonohbjbq7%2BZwzERUsYwo2", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530508&Signature=GssLnauiY160oyi8Jf10sDf4bL46z5UIfcX%2F1jMAIWwy97%2Fw9GjbHzS38wt5ybxoiMkSIsTN%2BYE7Vd7kc7zHkudP8K6D2g6bTFX%2B%2Bao4FK6e0OYbJXqb%2BPeNSgeqrHMrCeXIW1H8RCC5QXuEjkQrE4TPFja5Gc790vYMvsT5oAuxbnFAzjQM%2BTwMcjJ1k9dWR0Hoh694C2boFVdHy3LxQkv7vk6CSmjQcZ4bBbHmEMC%2FNd", "https://vtbehaviour.commondatastorage.googleapis.com/7f9899e42bccdd1d6479b573fb1bb9277b4bd42e8f6ef73c5456f606949e7cf5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530727&Signature=xFLQpUtdhw77th%2BADVS4Sl3y8VCEFYpShlfIJ6D6zJme%2BtY0lUlxv2N7hvxGbwSTYKBYQSyu735BqpgvSUc5e%2BC%2B9XseD6ERlB2kCJmvUPalqCOgZABMyb6mGaG5MMGgxP19UjM1qrUOxI2iJSjEQQ4LLmmkLf7%2B6XGhtqkIG4O2hZ5ABCrdbqytgJkuVl7VMDYelEnoYLLma9GDq1ytLfUObtoINW48v1xg1Mykxldjv6gV2DWr", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530784&Signature=CYyyJeKkeGqnH6T6m5Xruegrlkv2udvHSUC4MgjgnkaJP2%2BkZUvTfdoh5S5uXQZbk0By%2Bg1akNr3AALQqY%2B0SNoOJdW5fHCOavOpIuNkgM4efnxQQyuhR%2F6eccAejXvy0cFPKDUhdhvbItcx7lkgLwM3MhWL%2FzNneeST7yUf3g8Pad72u7BrItBCkJ23R2quBuKT3G22OMfreYhprgO398iL0htbNTBKh4csLc9QtPI%2FabWco3", "https://vtbehaviour.commondatastorage.googleapis.com/e068d8d9f9dae873ec78bd5a88df561893c18b1df6200a958a864c34d27e0a3d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530824&Signature=oRifg%2BGsx5SCY%2B4rLdvAqryqS3Xlu3DCrHZifO%2Bh9YOQAM4528P%2Bi6LzgYdE0hyDe8HlrfIhswkzkUOf8K4%2FzdoebqTYkwrHmPiJeW4cetq5F2qEeUU7RVbiXVUvLGYwThftr3BuB%2FtW3u%2Fl9v9AyS38ZTrk3B%2BjdQI5OqLikCMwV9lO%2B3lOB05pg6dpqHO3ycZUK2sMy5MgMqqyj%2FY2HLFVTv4wp4ea8PF%2Fswj4", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531163&Signature=ymkpXNrWILdVetVt90LhjbwNPIy4I%2FXM%2B0jq5xPK4FE6N61CBJ0ZKsP%2FbvZXOM5lKJdG6ltKQtldTuXskK26NlEwbRlzn90t1KGmXS6%2FkK7pgbFTNlA9BWYrDLciKwIZJJeFn46IMGSClXk0BXzcveuQWp4G%2BnIJwwWw0EjgU6ONUydOZW4DhKFhmEvNGfqPrEd6apNA3C39kZP%2Bql4tWV7ma8oAP9cHc7RyoO%2Fw4zbcJKmP", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531236&Signature=hz%2BT6I69NdrwImMGk8kcXqNnwp7K7z5sLWg7P7JvUVEckT5yV9zVAooLzjLyQGgNBxh%2Bw35npaMota9ooiK%2Bd3BWFd%2Bzr%2BUm76cQbsuLV5NH2LWXQFw1YzoSEXeXl4wmdHCWX4%2BP9tulqXFWpRQ4oOvqHWV10QWM4ubzWdft4N%2FCy4fQ90Iubm%2F1ywQ%2FuG66nNIy6ArwArpf2Md9Wb2k%2BVSwvmrPJqDUAM868u1jznd8SeGkYX", "https://vtbehaviour.commondatastorage.googleapis.com/23671e33d82282324fc51576616dbb92814adc4d17eb7014dc4e2f891ea7f4ae_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531342&Signature=MsuL%2B3SZcdwh8PtkojSZiAkej0M%2FX59YS9DllA%2BRLg6Z%2FV43R4XBkqKm%2BsQjDvTRdh%2BFRjO2rtuvYPHG%2By1RpurAOIjZEBs3F2ZYmv6mE62mgf4bDqgnUZS5myKTtlD%2BnuWRL7up%2B197%2F4VEXIqM8hxzhGDo7jmUeU0HERH%2FUnTThLnOjAWlGHNITZ7ffU0tKlYMKo%2BHqAkV9AerG5R%2FZdAh7nZidUf8wYpV", "https://vtbehaviour.commondatastorage.googleapis.com/79b0e5df7c5ebe1b2967a3d161ec0283531f20beb58cd8eb8e343f7ecbf0e142_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531881&Signature=J%2FX46%2BkQxXt0avuUofAv2FrDA2NcHoY81F%2F%2FCOybzM72s9GqDbl34Hk6nMuCyVJ9cyKFYU4dKZ5PGnS5MZLN7tzYDYnGF6tmsCd56oCgYS4IN8%2Ffm7xi81ELi3QsBaKZaSKBYTcBzQZOzBgTX%2BjFL%2FH291KDNrb5QKNV0OYNHKzFrKXUZzUNPTZgDw2%2B2XVV4tQzxtRNdm0kQW19OOOv29%2FY0E9CK9qRsl4Nu2otAW" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "FileHash-MD5": 63, "FileHash-SHA1": 65, "FileHash-SHA256": 456, "domain": 116, "hostname": 495, "URL": 862, "email": 1 }, "indicator_count": 2252, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1181104aab1e5b6484a6d2", "name": "* ghostware * CAPE Sandbox", "description": "[Results of an analysis of a KVM operating system, conducted by the MIT Research Institute (MIT), are published on the web. \u00c2\u00a32.5m.com (\u20ac3.4m; $4.6m).] pretext. a deeper follow up on impression domain from the last post shared. this is some of the evasive 2019-2020 attached malware in a sandbox. this is not easy to track or flag. Lb, cape, zenbox, vt are exceptional at this. Interesting string: preload js notes, \"fired\". this sha indicator won't run a sandbox despite all the flags: [a57ac7b63c282739aa...] though it now appears revoked - attached the certs in any event. (1 exp2 valid) exp:cosmina beteringhe\nStatus\nCertificate out of its validity period\nIssuer\nApple Inc.\nValid From\n02:08 PM 04/02/2019\nValid To\n02:08 PM 04/02/2024\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\nB60CA526B0B84F7FF9B9CACC70702C5C10985B2C\nSerial Number\n6D E1 8E C8 70 AC A3 3E team identity:HYC4353YBE", "modified": "2026-05-23T10:34:56.494000", "created": "2026-05-23T10:27:28.048000", "tags": [ "token", "instance id", "date", "request", "version", "start", "callback", "indicate", "send instance", "id token", "default", "cname", "accept", "shell folders", "folders", "gmt ifnonematch", "cape sandbox", "bootkit", "t1055", "t1542", "shutdown", "defense evasion", "filename", "userclass", "source", "adprovider", "pair", "count", "null", "newtab", "result", "chrome web", "file type", "file size", "sha1", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "adknowledge", "guard", "loads", "back", "typeof", "catch", "impression", "none", "xmlhttprequest", "signaturehz", "mitre attack", "network info", "sigma", "program", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "has permission", "t1430 location", "zenbox android", "persistence", "issuer apple", "valid from", "valid", "serial number", "ac a3", "apple inc", "status valid", "thumbprint", "mac os", "x executable", "info file", "info", "a9 a8" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530336&Signature=p6VwVgKhapyzo9Qdy2STgvqVBCILyIVDELmCCzKAI3VnzeLfXf8kMElRnqtXzyceHxnFobEu5%2Bzot74n2%2FKVdQLGgjSNmpbV1vxI4qIMW44TnqKJz7q%2Bzl9L2qPXk2Xd24irnPUYT4Z6b52nITm3rElixM%2FxW5B7cYrEPVdMEQQ3axn7fZMtVXkHyakt5UbZUnglSc97W7kjMO7OSb6qTfAhWNZuFLn0hPzN3JeCVc6eH2VaF8qrMW", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530360&Signature=IoNgUEkiuiM2X4a2ueL9rEQPSxM3pwV%2Fg9ppA8C%2BBjHNorpe2t8rUBwA%2BU0UhSwLHm3J9bx4il%2Buly8trboaDKTDgdTvpIFdsHRjkQYF%2F8P2ot8tg5AnQeLV9Q8ddUazck3uN2LTNyDFCh5HiWfU%2FJ4BytbiANmLC8gGyCjX%2FX5Y%2FkYYJwEtsw0W90i9lyhlbNX%2FbAor8c1%2FRyPwUh8klvuYGDxvlbeal0nSXVYLSy", "https://vtbehaviour.commondatastorage.googleapis.com/59bd2b3f9e4fbc79518a31738080bc4b9b35b42f6e5a3b5c3a306e0b9aae7f2c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530394&Signature=EFtQdaqkkeNu27kPO7Zob0bl261oVyzlQmNL5Z9HnrD%2FemHBUX4%2BsRO8wGhrK9e53idu5dP%2FqFvjC3fYYvXzyeKs6x0kO0IqPs5Pp6y422zCXP9gKR7xBfnQIQtmWDVaBb4znOzF35Jd76v4D1Y4btKPazPqsa2hq38U%2F2BTS2Fjqng%2BtZLtgjXCV7Qy1iJuoL4wZxus6aU6uyk4Gt4%2FwQOFSxhXM9Sg6EzneRhhFzAhHkOWzW", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530419&Signature=UGGjvrHysNTHqCP%2F98o%2Bwr%2BBuUURMkCiQxj24hY6gaY6O3Jzu8n5c1DTGQyxmFDLTNd%2BVEq%2BLjiAQEKKja33wGAeycq9H84UiQaOgy5xch0rQRhWlH9BAU1XQopkUIfjd%2F%2FjszJyY9f5GeBUviWGN0fk%2Fjf%2Bu70ZC8sViEooYie0vbqyBBZF4n4kjfdDoEDUXKU9hjk4W9PIBcH1Y8tyFonohbjbq7%2BZwzERUsYwo2", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530508&Signature=GssLnauiY160oyi8Jf10sDf4bL46z5UIfcX%2F1jMAIWwy97%2Fw9GjbHzS38wt5ybxoiMkSIsTN%2BYE7Vd7kc7zHkudP8K6D2g6bTFX%2B%2Bao4FK6e0OYbJXqb%2BPeNSgeqrHMrCeXIW1H8RCC5QXuEjkQrE4TPFja5Gc790vYMvsT5oAuxbnFAzjQM%2BTwMcjJ1k9dWR0Hoh694C2boFVdHy3LxQkv7vk6CSmjQcZ4bBbHmEMC%2FNd", "https://vtbehaviour.commondatastorage.googleapis.com/7f9899e42bccdd1d6479b573fb1bb9277b4bd42e8f6ef73c5456f606949e7cf5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530727&Signature=xFLQpUtdhw77th%2BADVS4Sl3y8VCEFYpShlfIJ6D6zJme%2BtY0lUlxv2N7hvxGbwSTYKBYQSyu735BqpgvSUc5e%2BC%2B9XseD6ERlB2kCJmvUPalqCOgZABMyb6mGaG5MMGgxP19UjM1qrUOxI2iJSjEQQ4LLmmkLf7%2B6XGhtqkIG4O2hZ5ABCrdbqytgJkuVl7VMDYelEnoYLLma9GDq1ytLfUObtoINW48v1xg1Mykxldjv6gV2DWr", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530784&Signature=CYyyJeKkeGqnH6T6m5Xruegrlkv2udvHSUC4MgjgnkaJP2%2BkZUvTfdoh5S5uXQZbk0By%2Bg1akNr3AALQqY%2B0SNoOJdW5fHCOavOpIuNkgM4efnxQQyuhR%2F6eccAejXvy0cFPKDUhdhvbItcx7lkgLwM3MhWL%2FzNneeST7yUf3g8Pad72u7BrItBCkJ23R2quBuKT3G22OMfreYhprgO398iL0htbNTBKh4csLc9QtPI%2FabWco3", "https://vtbehaviour.commondatastorage.googleapis.com/e068d8d9f9dae873ec78bd5a88df561893c18b1df6200a958a864c34d27e0a3d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530824&Signature=oRifg%2BGsx5SCY%2B4rLdvAqryqS3Xlu3DCrHZifO%2Bh9YOQAM4528P%2Bi6LzgYdE0hyDe8HlrfIhswkzkUOf8K4%2FzdoebqTYkwrHmPiJeW4cetq5F2qEeUU7RVbiXVUvLGYwThftr3BuB%2FtW3u%2Fl9v9AyS38ZTrk3B%2BjdQI5OqLikCMwV9lO%2B3lOB05pg6dpqHO3ycZUK2sMy5MgMqqyj%2FY2HLFVTv4wp4ea8PF%2Fswj4", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531163&Signature=ymkpXNrWILdVetVt90LhjbwNPIy4I%2FXM%2B0jq5xPK4FE6N61CBJ0ZKsP%2FbvZXOM5lKJdG6ltKQtldTuXskK26NlEwbRlzn90t1KGmXS6%2FkK7pgbFTNlA9BWYrDLciKwIZJJeFn46IMGSClXk0BXzcveuQWp4G%2BnIJwwWw0EjgU6ONUydOZW4DhKFhmEvNGfqPrEd6apNA3C39kZP%2Bql4tWV7ma8oAP9cHc7RyoO%2Fw4zbcJKmP", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531236&Signature=hz%2BT6I69NdrwImMGk8kcXqNnwp7K7z5sLWg7P7JvUVEckT5yV9zVAooLzjLyQGgNBxh%2Bw35npaMota9ooiK%2Bd3BWFd%2Bzr%2BUm76cQbsuLV5NH2LWXQFw1YzoSEXeXl4wmdHCWX4%2BP9tulqXFWpRQ4oOvqHWV10QWM4ubzWdft4N%2FCy4fQ90Iubm%2F1ywQ%2FuG66nNIy6ArwArpf2Md9Wb2k%2BVSwvmrPJqDUAM868u1jznd8SeGkYX", "https://vtbehaviour.commondatastorage.googleapis.com/23671e33d82282324fc51576616dbb92814adc4d17eb7014dc4e2f891ea7f4ae_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531342&Signature=MsuL%2B3SZcdwh8PtkojSZiAkej0M%2FX59YS9DllA%2BRLg6Z%2FV43R4XBkqKm%2BsQjDvTRdh%2BFRjO2rtuvYPHG%2By1RpurAOIjZEBs3F2ZYmv6mE62mgf4bDqgnUZS5myKTtlD%2BnuWRL7up%2B197%2F4VEXIqM8hxzhGDo7jmUeU0HERH%2FUnTThLnOjAWlGHNITZ7ffU0tKlYMKo%2BHqAkV9AerG5R%2FZdAh7nZidUf8wYpV", "https://vtbehaviour.commondatastorage.googleapis.com/79b0e5df7c5ebe1b2967a3d161ec0283531f20beb58cd8eb8e343f7ecbf0e142_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531881&Signature=J%2FX46%2BkQxXt0avuUofAv2FrDA2NcHoY81F%2F%2FCOybzM72s9GqDbl34Hk6nMuCyVJ9cyKFYU4dKZ5PGnS5MZLN7tzYDYnGF6tmsCd56oCgYS4IN8%2Ffm7xi81ELi3QsBaKZaSKBYTcBzQZOzBgTX%2BjFL%2FH291KDNrb5QKNV0OYNHKzFrKXUZzUNPTZgDw2%2B2XVV4tQzxtRNdm0kQW19OOOv29%2FY0E9CK9qRsl4Nu2otAW" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 70, "FileHash-MD5": 19, "FileHash-SHA1": 18, "FileHash-SHA256": 412, "domain": 96, "hostname": 409, "URL": 810, "email": 1 }, "indicator_count": 1835, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e891990e460b7c453f3c3", "name": "Spyware: Q. Vashti, VirusTotal Box of Apples Sandbox report", "description": "[Spyware: A complete list of words, phrases, symbols and symbols. and the full text of this page, published by Q.Vashti Public TLP, has been released.] Follow Q.Vashti, excellent researcher.", "modified": "2026-05-21T05:24:25.308000", "created": "2026-05-21T04:24:57.187000", "tags": [ "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "file", "operations", "process open", "write delete", "move time", "url https", "url http", "months ago", "spam author", "spyware created", "modified", "iiiii whoo", "maas", "scan", "iocs", "indicator role", "title added", "active related", "pulses url", "cloudflare", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "MA", "legal deadlock", "Compliance lock abuse", "Phone carrier interception 9999999999", "Plot", "Coordinated state abuse", "Enemy of the state", "Suppression", "Guard abuse", "the real fake admin of all domains and devices", "Mass", "Ina", "Maassina", "Signet" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000033bb30ef26261f53f933a0f21cf4eed370bd987e081e0679898b3a6bddda_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779336524&Signature=O5n0S4aWPfyjTDJc05rzvbBhcbEoG8Ay%2Fz1o8K3hGVa9yUcttzmFeiPiaEhLbNVb9JiGIOIDKYipVl89pWQnYGXvGkFlwlFEXMP7Bk0zMMRedzKnp5vRpurrgLFfTgr%2BB1LVJyMVDEvDnGezrwX3d6OVEfW4XJ1w3he09Vvhr6fmuca3vBNMTc%2F%2BLGyb5JKBbQl06mGcymu8a2NNt8LXHTceDjZdRnfEyCWqn9" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4288, "domain": 63, "IPv4": 4, "hostname": 207, "URL": 570, "FileHash-MD5": 39, "FileHash-SHA1": 40, "CIDR": 1, "email": 3 }, "indicator_count": 5215, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e891a083b6406d9d79c62", "name": "Spyware: Q. Vashti, VirusTotal Box of Apples Sandbox report", "description": "[Spyware: A complete list of words, phrases, symbols and symbols. and the full text of this page, published by Q.Vashti Public TLP, has been released.] Follow Q.Vashti, excellent researcher.", "modified": "2026-05-21T04:24:58.168000", "created": "2026-05-21T04:24:58.168000", "tags": [ "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "file", "operations", "process open", "write delete", "move time", "url https", "url http", "months ago", "spam author", "spyware created", "modified", "iiiii whoo", "maas", "scan", "iocs", "indicator role", "title added", "active related", "pulses url", "cloudflare", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "MA", "legal deadlock", "Compliance lock abuse", "Phone carrier interception 9999999999", "Plot", "Coordinated state abuse", "Enemy of the state", "Suppression", "Guard abuse", "the real fake admin of all domains and devices", "Mass", "Ina", "Maassina", "Signet" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000033bb30ef26261f53f933a0f21cf4eed370bd987e081e0679898b3a6bddda_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779336524&Signature=O5n0S4aWPfyjTDJc05rzvbBhcbEoG8Ay%2Fz1o8K3hGVa9yUcttzmFeiPiaEhLbNVb9JiGIOIDKYipVl89pWQnYGXvGkFlwlFEXMP7Bk0zMMRedzKnp5vRpurrgLFfTgr%2BB1LVJyMVDEvDnGezrwX3d6OVEfW4XJ1w3he09Vvhr6fmuca3vBNMTc%2F%2BLGyb5JKBbQl06mGcymu8a2NNt8LXHTceDjZdRnfEyCWqn9" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 141, "domain": 47, "IPv4": 2, "hostname": 169, "URL": 372, "FileHash-MD5": 5, "FileHash-SHA1": 2, "CIDR": 1, "email": 3 }, "indicator_count": 742, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/e068d8d9f9dae873ec78bd5a88df561893c18b1df6200a958a864c34d27e0a3d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530824&Signature=oRifg%2BGsx5SCY%2B4rLdvAqryqS3Xlu3DCrHZifO%2Bh9YOQAM4528P%2Bi6LzgYdE0hyDe8HlrfIhswkzkUOf8K4%2FzdoebqTYkwrHmPiJeW4cetq5F2qEeUU7RVbiXVUvLGYwThftr3BuB%2FtW3u%2Fl9v9AyS38ZTrk3B%2BjdQI5OqLikCMwV9lO%2B3lOB05pg6dpqHO3ycZUK2sMy5MgMqqyj%2FY2HLFVTv4wp4ea8PF%2Fswj4", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530784&Signature=CYyyJeKkeGqnH6T6m5Xruegrlkv2udvHSUC4MgjgnkaJP2%2BkZUvTfdoh5S5uXQZbk0By%2Bg1akNr3AALQqY%2B0SNoOJdW5fHCOavOpIuNkgM4efnxQQyuhR%2F6eccAejXvy0cFPKDUhdhvbItcx7lkgLwM3MhWL%2FzNneeST7yUf3g8Pad72u7BrItBCkJ23R2quBuKT3G22OMfreYhprgO398iL0htbNTBKh4csLc9QtPI%2FabWco3", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530360&Signature=IoNgUEkiuiM2X4a2ueL9rEQPSxM3pwV%2Fg9ppA8C%2BBjHNorpe2t8rUBwA%2BU0UhSwLHm3J9bx4il%2Buly8trboaDKTDgdTvpIFdsHRjkQYF%2F8P2ot8tg5AnQeLV9Q8ddUazck3uN2LTNyDFCh5HiWfU%2FJ4BytbiANmLC8gGyCjX%2FX5Y%2FkYYJwEtsw0W90i9lyhlbNX%2FbAor8c1%2FRyPwUh8klvuYGDxvlbeal0nSXVYLSy", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531163&Signature=ymkpXNrWILdVetVt90LhjbwNPIy4I%2FXM%2B0jq5xPK4FE6N61CBJ0ZKsP%2FbvZXOM5lKJdG6ltKQtldTuXskK26NlEwbRlzn90t1KGmXS6%2FkK7pgbFTNlA9BWYrDLciKwIZJJeFn46IMGSClXk0BXzcveuQWp4G%2BnIJwwWw0EjgU6ONUydOZW4DhKFhmEvNGfqPrEd6apNA3C39kZP%2Bql4tWV7ma8oAP9cHc7RyoO%2Fw4zbcJKmP", "https://vtbehaviour.commondatastorage.googleapis.com/23671e33d82282324fc51576616dbb92814adc4d17eb7014dc4e2f891ea7f4ae_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531342&Signature=MsuL%2B3SZcdwh8PtkojSZiAkej0M%2FX59YS9DllA%2BRLg6Z%2FV43R4XBkqKm%2BsQjDvTRdh%2BFRjO2rtuvYPHG%2By1RpurAOIjZEBs3F2ZYmv6mE62mgf4bDqgnUZS5myKTtlD%2BnuWRL7up%2B197%2F4VEXIqM8hxzhGDo7jmUeU0HERH%2FUnTThLnOjAWlGHNITZ7ffU0tKlYMKo%2BHqAkV9AerG5R%2FZdAh7nZidUf8wYpV", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530419&Signature=UGGjvrHysNTHqCP%2F98o%2Bwr%2BBuUURMkCiQxj24hY6gaY6O3Jzu8n5c1DTGQyxmFDLTNd%2BVEq%2BLjiAQEKKja33wGAeycq9H84UiQaOgy5xch0rQRhWlH9BAU1XQopkUIfjd%2F%2FjszJyY9f5GeBUviWGN0fk%2Fjf%2Bu70ZC8sViEooYie0vbqyBBZF4n4kjfdDoEDUXKU9hjk4W9PIBcH1Y8tyFonohbjbq7%2BZwzERUsYwo2", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530336&Signature=p6VwVgKhapyzo9Qdy2STgvqVBCILyIVDELmCCzKAI3VnzeLfXf8kMElRnqtXzyceHxnFobEu5%2Bzot74n2%2FKVdQLGgjSNmpbV1vxI4qIMW44TnqKJz7q%2Bzl9L2qPXk2Xd24irnPUYT4Z6b52nITm3rElixM%2FxW5B7cYrEPVdMEQQ3axn7fZMtVXkHyakt5UbZUnglSc97W7kjMO7OSb6qTfAhWNZuFLn0hPzN3JeCVc6eH2VaF8qrMW", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530508&Signature=GssLnauiY160oyi8Jf10sDf4bL46z5UIfcX%2F1jMAIWwy97%2Fw9GjbHzS38wt5ybxoiMkSIsTN%2BYE7Vd7kc7zHkudP8K6D2g6bTFX%2B%2Bao4FK6e0OYbJXqb%2BPeNSgeqrHMrCeXIW1H8RCC5QXuEjkQrE4TPFja5Gc790vYMvsT5oAuxbnFAzjQM%2BTwMcjJ1k9dWR0Hoh694C2boFVdHy3LxQkv7vk6CSmjQcZ4bBbHmEMC%2FNd", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/000033bb30ef26261f53f933a0f21cf4eed370bd987e081e0679898b3a6bddda_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779336524&Signature=O5n0S4aWPfyjTDJc05rzvbBhcbEoG8Ay%2Fz1o8K3hGVa9yUcttzmFeiPiaEhLbNVb9JiGIOIDKYipVl89pWQnYGXvGkFlwlFEXMP7Bk0zMMRedzKnp5vRpurrgLFfTgr%2BB1LVJyMVDEvDnGezrwX3d6OVEfW4XJ1w3he09Vvhr6fmuca3vBNMTc%2F%2BLGyb5JKBbQl06mGcymu8a2NNt8LXHTceDjZdRnfEyCWqn9", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531236&Signature=hz%2BT6I69NdrwImMGk8kcXqNnwp7K7z5sLWg7P7JvUVEckT5yV9zVAooLzjLyQGgNBxh%2Bw35npaMota9ooiK%2Bd3BWFd%2Bzr%2BUm76cQbsuLV5NH2LWXQFw1YzoSEXeXl4wmdHCWX4%2BP9tulqXFWpRQ4oOvqHWV10QWM4ubzWdft4N%2FCy4fQ90Iubm%2F1ywQ%2FuG66nNIy6ArwArpf2Md9Wb2k%2BVSwvmrPJqDUAM868u1jznd8SeGkYX", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/79b0e5df7c5ebe1b2967a3d161ec0283531f20beb58cd8eb8e343f7ecbf0e142_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531881&Signature=J%2FX46%2BkQxXt0avuUofAv2FrDA2NcHoY81F%2F%2FCOybzM72s9GqDbl34Hk6nMuCyVJ9cyKFYU4dKZ5PGnS5MZLN7tzYDYnGF6tmsCd56oCgYS4IN8%2Ffm7xi81ELi3QsBaKZaSKBYTcBzQZOzBgTX%2BjFL%2FH291KDNrb5QKNV0OYNHKzFrKXUZzUNPTZgDw2%2B2XVV4tQzxtRNdm0kQW19OOOv29%2FY0E9CK9qRsl4Nu2otAW", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7f9899e42bccdd1d6479b573fb1bb9277b4bd42e8f6ef73c5456f606949e7cf5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530727&Signature=xFLQpUtdhw77th%2BADVS4Sl3y8VCEFYpShlfIJ6D6zJme%2BtY0lUlxv2N7hvxGbwSTYKBYQSyu735BqpgvSUc5e%2BC%2B9XseD6ERlB2kCJmvUPalqCOgZABMyb6mGaG5MMGgxP19UjM1qrUOxI2iJSjEQQ4LLmmkLf7%2B6XGhtqkIG4O2hZ5ABCrdbqytgJkuVl7VMDYelEnoYLLma9GDq1ytLfUObtoINW48v1xg1Mykxldjv6gV2DWr", "https://vtbehaviour.commondatastorage.googleapis.com/59bd2b3f9e4fbc79518a31738080bc4b9b35b42f6e5a3b5c3a306e0b9aae7f2c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530394&Signature=EFtQdaqkkeNu27kPO7Zob0bl261oVyzlQmNL5Z9HnrD%2FemHBUX4%2BsRO8wGhrK9e53idu5dP%2FqFvjC3fYYvXzyeKs6x0kO0IqPs5Pp6y422zCXP9gKR7xBfnQIQtmWDVaBb4znOzF35Jd76v4D1Y4btKPazPqsa2hq38U%2F2BTS2Fjqng%2BtZLtgjXCV7Qy1iJuoL4wZxus6aU6uyk4Gt4%2FwQOFSxhXM9Sg6EzneRhhFzAhHkOWzW", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 7438 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/mozilla.com.cn", "whois": "http://whois.domaintools.com/mozilla.com.cn", "domain": "mozilla.com.cn", "hostname": "www.mozilla.com.cn" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "6a101b839df4493da69621a2", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-25T21:25:42.679000", "created": "2026-05-22T09:01:55.489000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1647, "IPv4": 146, "URL": 826, "hostname": 769, "domain": 396, "email": 7, "IPv6": 2, "Mutex": 1 }, "indicator_count": 3951, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a101b73325050835339892c", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:18.535000", "created": "2026-05-22T09:01:39.942000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 198, "FileHash-SHA1": 163, "FileHash-SHA256": 1939, "IPv4": 172, "URL": 826, "hostname": 770, "domain": 397, "email": 7, "IPv6": 1 }, "indicator_count": 4473, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a101b796e100c09c491429e", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:16.979000", "created": "2026-05-22T09:01:45.017000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1621, "IPv4": 146, "URL": 822, "hostname": 764, "domain": 396, "email": 7, "IPv6": 1 }, "indicator_count": 3914, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a101b83a6873110c5e69e29", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:15.876000", "created": "2026-05-22T09:01:55.189000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1621, "IPv4": 145, "URL": 821, "hostname": 764, "domain": 396, "email": 7, "IPv6": 1 }, "indicator_count": 3912, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a101b874f712c713c7de979", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:06.959000", "created": "2026-05-22T09:01:59.502000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1621, "IPv4": 145, "URL": 821, "hostname": 764, "domain": 397, "email": 7, "IPv6": 1 }, "indicator_count": 3913, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a11810e7bc0d9d7652b4fcb", "name": "* ghostware * CAPE Sandbox", "description": "[Results of an analysis of a KVM operating system, conducted by the MIT Research Institute (MIT), are published on the web. \u00c2\u00a32.5m.com (\u20ac3.4m; $4.6m).] pretext. a deeper follow up on impression domain from the last post shared. this is some of the evasive 2019-2020 attached malware in a sandbox. this is not easy to track or flag. Lb, cape, zenbox, vt are exceptional at this. Interesting string: preload js notes, \"fired\". this sha indicator won't run a sandbox despite all the flags: [a57ac7b63c282739aa...] though it now appears revoked - attached the certs in any event. (1 exp2 valid) exp:cosmina beteringhe\nStatus\nCertificate out of its validity period\nIssuer\nApple Inc.\nValid From\n02:08 PM 04/02/2019\nValid To\n02:08 PM 04/02/2024\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\nB60CA526B0B84F7FF9B9CACC70702C5C10985B2C\nSerial Number\n6D E1 8E C8 70 AC A3 3E team identity:HYC4353YBE", "modified": "2026-05-23T10:44:37.782000", "created": "2026-05-23T10:27:26.040000", "tags": [ "token", "instance id", "date", "request", "version", "start", "callback", "indicate", "send instance", "id token", "default", "cname", "accept", "shell folders", "folders", "gmt ifnonematch", "cape sandbox", "bootkit", "t1055", "t1542", "shutdown", "defense evasion", "filename", "userclass", "source", "adprovider", "pair", "count", "null", "newtab", "result", "chrome web", "file type", "file size", "sha1", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "adknowledge", "guard", "loads", "back", "typeof", "catch", "impression", "none", "xmlhttprequest", "signaturehz", "mitre attack", "network info", "sigma", "program", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "has permission", "t1430 location", "zenbox android", "persistence", "issuer apple", "valid from", "valid", "serial number", "ac a3", "apple inc", "status valid", "thumbprint", "mac os", "x executable", "info file", "info", "a9 a8" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530336&Signature=p6VwVgKhapyzo9Qdy2STgvqVBCILyIVDELmCCzKAI3VnzeLfXf8kMElRnqtXzyceHxnFobEu5%2Bzot74n2%2FKVdQLGgjSNmpbV1vxI4qIMW44TnqKJz7q%2Bzl9L2qPXk2Xd24irnPUYT4Z6b52nITm3rElixM%2FxW5B7cYrEPVdMEQQ3axn7fZMtVXkHyakt5UbZUnglSc97W7kjMO7OSb6qTfAhWNZuFLn0hPzN3JeCVc6eH2VaF8qrMW", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530360&Signature=IoNgUEkiuiM2X4a2ueL9rEQPSxM3pwV%2Fg9ppA8C%2BBjHNorpe2t8rUBwA%2BU0UhSwLHm3J9bx4il%2Buly8trboaDKTDgdTvpIFdsHRjkQYF%2F8P2ot8tg5AnQeLV9Q8ddUazck3uN2LTNyDFCh5HiWfU%2FJ4BytbiANmLC8gGyCjX%2FX5Y%2FkYYJwEtsw0W90i9lyhlbNX%2FbAor8c1%2FRyPwUh8klvuYGDxvlbeal0nSXVYLSy", "https://vtbehaviour.commondatastorage.googleapis.com/59bd2b3f9e4fbc79518a31738080bc4b9b35b42f6e5a3b5c3a306e0b9aae7f2c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530394&Signature=EFtQdaqkkeNu27kPO7Zob0bl261oVyzlQmNL5Z9HnrD%2FemHBUX4%2BsRO8wGhrK9e53idu5dP%2FqFvjC3fYYvXzyeKs6x0kO0IqPs5Pp6y422zCXP9gKR7xBfnQIQtmWDVaBb4znOzF35Jd76v4D1Y4btKPazPqsa2hq38U%2F2BTS2Fjqng%2BtZLtgjXCV7Qy1iJuoL4wZxus6aU6uyk4Gt4%2FwQOFSxhXM9Sg6EzneRhhFzAhHkOWzW", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530419&Signature=UGGjvrHysNTHqCP%2F98o%2Bwr%2BBuUURMkCiQxj24hY6gaY6O3Jzu8n5c1DTGQyxmFDLTNd%2BVEq%2BLjiAQEKKja33wGAeycq9H84UiQaOgy5xch0rQRhWlH9BAU1XQopkUIfjd%2F%2FjszJyY9f5GeBUviWGN0fk%2Fjf%2Bu70ZC8sViEooYie0vbqyBBZF4n4kjfdDoEDUXKU9hjk4W9PIBcH1Y8tyFonohbjbq7%2BZwzERUsYwo2", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530508&Signature=GssLnauiY160oyi8Jf10sDf4bL46z5UIfcX%2F1jMAIWwy97%2Fw9GjbHzS38wt5ybxoiMkSIsTN%2BYE7Vd7kc7zHkudP8K6D2g6bTFX%2B%2Bao4FK6e0OYbJXqb%2BPeNSgeqrHMrCeXIW1H8RCC5QXuEjkQrE4TPFja5Gc790vYMvsT5oAuxbnFAzjQM%2BTwMcjJ1k9dWR0Hoh694C2boFVdHy3LxQkv7vk6CSmjQcZ4bBbHmEMC%2FNd", "https://vtbehaviour.commondatastorage.googleapis.com/7f9899e42bccdd1d6479b573fb1bb9277b4bd42e8f6ef73c5456f606949e7cf5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530727&Signature=xFLQpUtdhw77th%2BADVS4Sl3y8VCEFYpShlfIJ6D6zJme%2BtY0lUlxv2N7hvxGbwSTYKBYQSyu735BqpgvSUc5e%2BC%2B9XseD6ERlB2kCJmvUPalqCOgZABMyb6mGaG5MMGgxP19UjM1qrUOxI2iJSjEQQ4LLmmkLf7%2B6XGhtqkIG4O2hZ5ABCrdbqytgJkuVl7VMDYelEnoYLLma9GDq1ytLfUObtoINW48v1xg1Mykxldjv6gV2DWr", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530784&Signature=CYyyJeKkeGqnH6T6m5Xruegrlkv2udvHSUC4MgjgnkaJP2%2BkZUvTfdoh5S5uXQZbk0By%2Bg1akNr3AALQqY%2B0SNoOJdW5fHCOavOpIuNkgM4efnxQQyuhR%2F6eccAejXvy0cFPKDUhdhvbItcx7lkgLwM3MhWL%2FzNneeST7yUf3g8Pad72u7BrItBCkJ23R2quBuKT3G22OMfreYhprgO398iL0htbNTBKh4csLc9QtPI%2FabWco3", "https://vtbehaviour.commondatastorage.googleapis.com/e068d8d9f9dae873ec78bd5a88df561893c18b1df6200a958a864c34d27e0a3d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530824&Signature=oRifg%2BGsx5SCY%2B4rLdvAqryqS3Xlu3DCrHZifO%2Bh9YOQAM4528P%2Bi6LzgYdE0hyDe8HlrfIhswkzkUOf8K4%2FzdoebqTYkwrHmPiJeW4cetq5F2qEeUU7RVbiXVUvLGYwThftr3BuB%2FtW3u%2Fl9v9AyS38ZTrk3B%2BjdQI5OqLikCMwV9lO%2B3lOB05pg6dpqHO3ycZUK2sMy5MgMqqyj%2FY2HLFVTv4wp4ea8PF%2Fswj4", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531163&Signature=ymkpXNrWILdVetVt90LhjbwNPIy4I%2FXM%2B0jq5xPK4FE6N61CBJ0ZKsP%2FbvZXOM5lKJdG6ltKQtldTuXskK26NlEwbRlzn90t1KGmXS6%2FkK7pgbFTNlA9BWYrDLciKwIZJJeFn46IMGSClXk0BXzcveuQWp4G%2BnIJwwWw0EjgU6ONUydOZW4DhKFhmEvNGfqPrEd6apNA3C39kZP%2Bql4tWV7ma8oAP9cHc7RyoO%2Fw4zbcJKmP", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531236&Signature=hz%2BT6I69NdrwImMGk8kcXqNnwp7K7z5sLWg7P7JvUVEckT5yV9zVAooLzjLyQGgNBxh%2Bw35npaMota9ooiK%2Bd3BWFd%2Bzr%2BUm76cQbsuLV5NH2LWXQFw1YzoSEXeXl4wmdHCWX4%2BP9tulqXFWpRQ4oOvqHWV10QWM4ubzWdft4N%2FCy4fQ90Iubm%2F1ywQ%2FuG66nNIy6ArwArpf2Md9Wb2k%2BVSwvmrPJqDUAM868u1jznd8SeGkYX", "https://vtbehaviour.commondatastorage.googleapis.com/23671e33d82282324fc51576616dbb92814adc4d17eb7014dc4e2f891ea7f4ae_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531342&Signature=MsuL%2B3SZcdwh8PtkojSZiAkej0M%2FX59YS9DllA%2BRLg6Z%2FV43R4XBkqKm%2BsQjDvTRdh%2BFRjO2rtuvYPHG%2By1RpurAOIjZEBs3F2ZYmv6mE62mgf4bDqgnUZS5myKTtlD%2BnuWRL7up%2B197%2F4VEXIqM8hxzhGDo7jmUeU0HERH%2FUnTThLnOjAWlGHNITZ7ffU0tKlYMKo%2BHqAkV9AerG5R%2FZdAh7nZidUf8wYpV", "https://vtbehaviour.commondatastorage.googleapis.com/79b0e5df7c5ebe1b2967a3d161ec0283531f20beb58cd8eb8e343f7ecbf0e142_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531881&Signature=J%2FX46%2BkQxXt0avuUofAv2FrDA2NcHoY81F%2F%2FCOybzM72s9GqDbl34Hk6nMuCyVJ9cyKFYU4dKZ5PGnS5MZLN7tzYDYnGF6tmsCd56oCgYS4IN8%2Ffm7xi81ELi3QsBaKZaSKBYTcBzQZOzBgTX%2BjFL%2FH291KDNrb5QKNV0OYNHKzFrKXUZzUNPTZgDw2%2B2XVV4tQzxtRNdm0kQW19OOOv29%2FY0E9CK9qRsl4Nu2otAW" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "FileHash-MD5": 63, "FileHash-SHA1": 65, "FileHash-SHA256": 456, "domain": 116, "hostname": 495, "URL": 862, "email": 1 }, "indicator_count": 2252, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1181104aab1e5b6484a6d2", "name": "* ghostware * CAPE Sandbox", "description": "[Results of an analysis of a KVM operating system, conducted by the MIT Research Institute (MIT), are published on the web. \u00c2\u00a32.5m.com (\u20ac3.4m; $4.6m).] pretext. a deeper follow up on impression domain from the last post shared. this is some of the evasive 2019-2020 attached malware in a sandbox. this is not easy to track or flag. Lb, cape, zenbox, vt are exceptional at this. Interesting string: preload js notes, \"fired\". this sha indicator won't run a sandbox despite all the flags: [a57ac7b63c282739aa...] though it now appears revoked - attached the certs in any event. (1 exp2 valid) exp:cosmina beteringhe\nStatus\nCertificate out of its validity period\nIssuer\nApple Inc.\nValid From\n02:08 PM 04/02/2019\nValid To\n02:08 PM 04/02/2024\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\nB60CA526B0B84F7FF9B9CACC70702C5C10985B2C\nSerial Number\n6D E1 8E C8 70 AC A3 3E team identity:HYC4353YBE", "modified": "2026-05-23T10:34:56.494000", "created": "2026-05-23T10:27:28.048000", "tags": [ "token", "instance id", "date", "request", "version", "start", "callback", "indicate", "send instance", "id token", "default", "cname", "accept", "shell folders", "folders", "gmt ifnonematch", "cape sandbox", "bootkit", "t1055", "t1542", "shutdown", "defense evasion", "filename", "userclass", "source", "adprovider", "pair", "count", "null", "newtab", "result", "chrome web", "file type", "file size", "sha1", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "adknowledge", "guard", "loads", "back", "typeof", "catch", "impression", "none", "xmlhttprequest", "signaturehz", "mitre attack", "network info", "sigma", "program", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "has permission", "t1430 location", "zenbox android", "persistence", "issuer apple", "valid from", "valid", "serial number", "ac a3", "apple inc", "status valid", "thumbprint", "mac os", "x executable", "info file", "info", "a9 a8" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530336&Signature=p6VwVgKhapyzo9Qdy2STgvqVBCILyIVDELmCCzKAI3VnzeLfXf8kMElRnqtXzyceHxnFobEu5%2Bzot74n2%2FKVdQLGgjSNmpbV1vxI4qIMW44TnqKJz7q%2Bzl9L2qPXk2Xd24irnPUYT4Z6b52nITm3rElixM%2FxW5B7cYrEPVdMEQQ3axn7fZMtVXkHyakt5UbZUnglSc97W7kjMO7OSb6qTfAhWNZuFLn0hPzN3JeCVc6eH2VaF8qrMW", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530360&Signature=IoNgUEkiuiM2X4a2ueL9rEQPSxM3pwV%2Fg9ppA8C%2BBjHNorpe2t8rUBwA%2BU0UhSwLHm3J9bx4il%2Buly8trboaDKTDgdTvpIFdsHRjkQYF%2F8P2ot8tg5AnQeLV9Q8ddUazck3uN2LTNyDFCh5HiWfU%2FJ4BytbiANmLC8gGyCjX%2FX5Y%2FkYYJwEtsw0W90i9lyhlbNX%2FbAor8c1%2FRyPwUh8klvuYGDxvlbeal0nSXVYLSy", "https://vtbehaviour.commondatastorage.googleapis.com/59bd2b3f9e4fbc79518a31738080bc4b9b35b42f6e5a3b5c3a306e0b9aae7f2c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530394&Signature=EFtQdaqkkeNu27kPO7Zob0bl261oVyzlQmNL5Z9HnrD%2FemHBUX4%2BsRO8wGhrK9e53idu5dP%2FqFvjC3fYYvXzyeKs6x0kO0IqPs5Pp6y422zCXP9gKR7xBfnQIQtmWDVaBb4znOzF35Jd76v4D1Y4btKPazPqsa2hq38U%2F2BTS2Fjqng%2BtZLtgjXCV7Qy1iJuoL4wZxus6aU6uyk4Gt4%2FwQOFSxhXM9Sg6EzneRhhFzAhHkOWzW", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530419&Signature=UGGjvrHysNTHqCP%2F98o%2Bwr%2BBuUURMkCiQxj24hY6gaY6O3Jzu8n5c1DTGQyxmFDLTNd%2BVEq%2BLjiAQEKKja33wGAeycq9H84UiQaOgy5xch0rQRhWlH9BAU1XQopkUIfjd%2F%2FjszJyY9f5GeBUviWGN0fk%2Fjf%2Bu70ZC8sViEooYie0vbqyBBZF4n4kjfdDoEDUXKU9hjk4W9PIBcH1Y8tyFonohbjbq7%2BZwzERUsYwo2", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530508&Signature=GssLnauiY160oyi8Jf10sDf4bL46z5UIfcX%2F1jMAIWwy97%2Fw9GjbHzS38wt5ybxoiMkSIsTN%2BYE7Vd7kc7zHkudP8K6D2g6bTFX%2B%2Bao4FK6e0OYbJXqb%2BPeNSgeqrHMrCeXIW1H8RCC5QXuEjkQrE4TPFja5Gc790vYMvsT5oAuxbnFAzjQM%2BTwMcjJ1k9dWR0Hoh694C2boFVdHy3LxQkv7vk6CSmjQcZ4bBbHmEMC%2FNd", "https://vtbehaviour.commondatastorage.googleapis.com/7f9899e42bccdd1d6479b573fb1bb9277b4bd42e8f6ef73c5456f606949e7cf5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530727&Signature=xFLQpUtdhw77th%2BADVS4Sl3y8VCEFYpShlfIJ6D6zJme%2BtY0lUlxv2N7hvxGbwSTYKBYQSyu735BqpgvSUc5e%2BC%2B9XseD6ERlB2kCJmvUPalqCOgZABMyb6mGaG5MMGgxP19UjM1qrUOxI2iJSjEQQ4LLmmkLf7%2B6XGhtqkIG4O2hZ5ABCrdbqytgJkuVl7VMDYelEnoYLLma9GDq1ytLfUObtoINW48v1xg1Mykxldjv6gV2DWr", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530784&Signature=CYyyJeKkeGqnH6T6m5Xruegrlkv2udvHSUC4MgjgnkaJP2%2BkZUvTfdoh5S5uXQZbk0By%2Bg1akNr3AALQqY%2B0SNoOJdW5fHCOavOpIuNkgM4efnxQQyuhR%2F6eccAejXvy0cFPKDUhdhvbItcx7lkgLwM3MhWL%2FzNneeST7yUf3g8Pad72u7BrItBCkJ23R2quBuKT3G22OMfreYhprgO398iL0htbNTBKh4csLc9QtPI%2FabWco3", "https://vtbehaviour.commondatastorage.googleapis.com/e068d8d9f9dae873ec78bd5a88df561893c18b1df6200a958a864c34d27e0a3d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530824&Signature=oRifg%2BGsx5SCY%2B4rLdvAqryqS3Xlu3DCrHZifO%2Bh9YOQAM4528P%2Bi6LzgYdE0hyDe8HlrfIhswkzkUOf8K4%2FzdoebqTYkwrHmPiJeW4cetq5F2qEeUU7RVbiXVUvLGYwThftr3BuB%2FtW3u%2Fl9v9AyS38ZTrk3B%2BjdQI5OqLikCMwV9lO%2B3lOB05pg6dpqHO3ycZUK2sMy5MgMqqyj%2FY2HLFVTv4wp4ea8PF%2Fswj4", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531163&Signature=ymkpXNrWILdVetVt90LhjbwNPIy4I%2FXM%2B0jq5xPK4FE6N61CBJ0ZKsP%2FbvZXOM5lKJdG6ltKQtldTuXskK26NlEwbRlzn90t1KGmXS6%2FkK7pgbFTNlA9BWYrDLciKwIZJJeFn46IMGSClXk0BXzcveuQWp4G%2BnIJwwWw0EjgU6ONUydOZW4DhKFhmEvNGfqPrEd6apNA3C39kZP%2Bql4tWV7ma8oAP9cHc7RyoO%2Fw4zbcJKmP", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531236&Signature=hz%2BT6I69NdrwImMGk8kcXqNnwp7K7z5sLWg7P7JvUVEckT5yV9zVAooLzjLyQGgNBxh%2Bw35npaMota9ooiK%2Bd3BWFd%2Bzr%2BUm76cQbsuLV5NH2LWXQFw1YzoSEXeXl4wmdHCWX4%2BP9tulqXFWpRQ4oOvqHWV10QWM4ubzWdft4N%2FCy4fQ90Iubm%2F1ywQ%2FuG66nNIy6ArwArpf2Md9Wb2k%2BVSwvmrPJqDUAM868u1jznd8SeGkYX", "https://vtbehaviour.commondatastorage.googleapis.com/23671e33d82282324fc51576616dbb92814adc4d17eb7014dc4e2f891ea7f4ae_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531342&Signature=MsuL%2B3SZcdwh8PtkojSZiAkej0M%2FX59YS9DllA%2BRLg6Z%2FV43R4XBkqKm%2BsQjDvTRdh%2BFRjO2rtuvYPHG%2By1RpurAOIjZEBs3F2ZYmv6mE62mgf4bDqgnUZS5myKTtlD%2BnuWRL7up%2B197%2F4VEXIqM8hxzhGDo7jmUeU0HERH%2FUnTThLnOjAWlGHNITZ7ffU0tKlYMKo%2BHqAkV9AerG5R%2FZdAh7nZidUf8wYpV", "https://vtbehaviour.commondatastorage.googleapis.com/79b0e5df7c5ebe1b2967a3d161ec0283531f20beb58cd8eb8e343f7ecbf0e142_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531881&Signature=J%2FX46%2BkQxXt0avuUofAv2FrDA2NcHoY81F%2F%2FCOybzM72s9GqDbl34Hk6nMuCyVJ9cyKFYU4dKZ5PGnS5MZLN7tzYDYnGF6tmsCd56oCgYS4IN8%2Ffm7xi81ELi3QsBaKZaSKBYTcBzQZOzBgTX%2BjFL%2FH291KDNrb5QKNV0OYNHKzFrKXUZzUNPTZgDw2%2B2XVV4tQzxtRNdm0kQW19OOOv29%2FY0E9CK9qRsl4Nu2otAW" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 70, "FileHash-MD5": 19, "FileHash-SHA1": 18, "FileHash-SHA256": 412, "domain": 96, "hostname": 409, "URL": 810, "email": 1 }, "indicator_count": 1835, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e891990e460b7c453f3c3", "name": "Spyware: Q. Vashti, VirusTotal Box of Apples Sandbox report", "description": "[Spyware: A complete list of words, phrases, symbols and symbols. and the full text of this page, published by Q.Vashti Public TLP, has been released.] Follow Q.Vashti, excellent researcher.", "modified": "2026-05-21T05:24:25.308000", "created": "2026-05-21T04:24:57.187000", "tags": [ "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "file", "operations", "process open", "write delete", "move time", "url https", "url http", "months ago", "spam author", "spyware created", "modified", "iiiii whoo", "maas", "scan", "iocs", "indicator role", "title added", "active related", "pulses url", "cloudflare", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "MA", "legal deadlock", "Compliance lock abuse", "Phone carrier interception 9999999999", "Plot", "Coordinated state abuse", "Enemy of the state", "Suppression", "Guard abuse", "the real fake admin of all domains and devices", "Mass", "Ina", "Maassina", "Signet" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000033bb30ef26261f53f933a0f21cf4eed370bd987e081e0679898b3a6bddda_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779336524&Signature=O5n0S4aWPfyjTDJc05rzvbBhcbEoG8Ay%2Fz1o8K3hGVa9yUcttzmFeiPiaEhLbNVb9JiGIOIDKYipVl89pWQnYGXvGkFlwlFEXMP7Bk0zMMRedzKnp5vRpurrgLFfTgr%2BB1LVJyMVDEvDnGezrwX3d6OVEfW4XJ1w3he09Vvhr6fmuca3vBNMTc%2F%2BLGyb5JKBbQl06mGcymu8a2NNt8LXHTceDjZdRnfEyCWqn9" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4288, "domain": 63, "IPv4": 4, "hostname": 207, "URL": 570, "FileHash-MD5": 39, "FileHash-SHA1": 40, "CIDR": 1, "email": 3 }, "indicator_count": 5215, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e891a083b6406d9d79c62", "name": "Spyware: Q. Vashti, VirusTotal Box of Apples Sandbox report", "description": "[Spyware: A complete list of words, phrases, symbols and symbols. and the full text of this page, published by Q.Vashti Public TLP, has been released.] Follow Q.Vashti, excellent researcher.", "modified": "2026-05-21T04:24:58.168000", "created": "2026-05-21T04:24:58.168000", "tags": [ "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "file", "operations", "process open", "write delete", "move time", "url https", "url http", "months ago", "spam author", "spyware created", "modified", "iiiii whoo", "maas", "scan", "iocs", "indicator role", "title added", "active related", "pulses url", "cloudflare", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "MA", "legal deadlock", "Compliance lock abuse", "Phone carrier interception 9999999999", "Plot", "Coordinated state abuse", "Enemy of the state", "Suppression", "Guard abuse", "the real fake admin of all domains and devices", "Mass", "Ina", "Maassina", "Signet" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000033bb30ef26261f53f933a0f21cf4eed370bd987e081e0679898b3a6bddda_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779336524&Signature=O5n0S4aWPfyjTDJc05rzvbBhcbEoG8Ay%2Fz1o8K3hGVa9yUcttzmFeiPiaEhLbNVb9JiGIOIDKYipVl89pWQnYGXvGkFlwlFEXMP7Bk0zMMRedzKnp5vRpurrgLFfTgr%2BB1LVJyMVDEvDnGezrwX3d6OVEfW4XJ1w3he09Vvhr6fmuca3vBNMTc%2F%2BLGyb5JKBbQl06mGcymu8a2NNt8LXHTceDjZdRnfEyCWqn9" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 141, "domain": 47, "IPv4": 2, "hostname": 169, "URL": 372, "FileHash-MD5": 5, "FileHash-SHA1": 2, "CIDR": 1, "email": 3 }, "indicator_count": 742, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.mozilla.com.cn/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.mozilla.com.cn/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780224517.0364125 }