{ "type": "Domain", "indicator": "jrsoftware.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/jrsoftware.org", "alexa": "http://www.alexa.com/siteinfo/jrsoftware.org", "indicator": "jrsoftware.org", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain jrsoftware.org", "name": "Whitelisted domain" } ], "base_indicator": { "id": 34539888, "indicator": "jrsoftware.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 32, "pulses": [ { "id": "6a0fec7257bc32c037c9be08", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T06:18:07.234000", "created": "2026-05-22T05:41:06.053000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 638, "FileHash-SHA1": 366, "FileHash-SHA256": 1441, "IPv4": 377, "URL": 1697, "domain": 404, "hostname": 873, "CIDR": 1, "Mutex": 1, "IPv6": 19, "email": 9 }, "indicator_count": 5826, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec7156a2d7cd795090ba", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:41:05.023000", "created": "2026-05-22T05:41:05.023000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec697a7cef13f5cf8fdf", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:57.737000", "created": "2026-05-22T05:40:57.737000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec65b9ecad6466cf0144", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:53.032000", "created": "2026-05-22T05:40:53.032000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec5d56a2d7cd795090b9", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:45.104000", "created": "2026-05-22T05:40:45.104000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fde205095bd98f11dcd2e", "name": "Research part 2 * CAPE Sandbox", "description": "[sample of malware: PCBioUnlock-Setup-x64, for MS Windows, has been found on a server in the Czech Republic and is being investigated by the UK's National Security Agency].", "modified": "2026-05-22T04:40:00.363000", "created": "2026-05-22T04:40:00.363000", "tags": [ "new roman", "hebrew", "arabic", "vietnamese", "greek", "baltic", "times new", "roman", "calibri", "light", "default", "strong", "cname", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "accept", "shutdown", "guard", "pe file", "windows", "sample", "reads", "performs dns", "network info", "processes extra", "pe32", "intel", "delphi", "code", "persistence", "malicious", "next", "member", "p11778505315", "p2404", "host", "library", "thrown", "class", "null", "example", "loop", "syst", "none rticon", "address virtual", "sha1", "locale", "download" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/528935b574adacd37fb70a08c57e923187a88f0048edf13955c17b4ac9b6254f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424576&Signature=HqCaWUtXVqO0qP7OW%2FasttQekub43IxOpVwuNpnAqqHt5pD2k3CeW8D0ZuOjDsOkw4LBA4QQbqNJ8uF0UmEbac%2BHKOyP%2FCf%2B08D7aM0iFPanIPuqxCoSiRjjD1C759Ig9GSDC64CKskQd91puLrezrVudARsxDdIPAJCyAwGDb6Y3L7HlOj5cCucn6k6hA6AetITD1fiTojQEV%2BX9%2B9Wp0Qxeje2jmCgoPHcO2fWBMKX7UXSmC", "https://vtbehaviour.commondatastorage.googleapis.com/53bc6ed33565fe532d0ab10f9fafd2a18de06f9af32276627523a042a5205976_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424635&Signature=d4%2F4WzkSDNNN7zJVhJx9Csbghc4NumQIzYVmFLhdk983TTEjbNgBJJMGjkeXRWH1WR1mZnFiQQ7Mgo1L3lMAyghZch23i36rYC7Da3ktAuDVWv8dZ1P%2B%2FKBPfkOwkRmp9jF96vpOsqtTUoktlD4F%2Bu%2FSt6dwBXDN7ZBz%2F2Aau%2B0QQ4m11sl9wLFOuu1xCjfQKL%2FWdqAda78SKAgiFEx5VZhvpCqaQBEkgpvyGqqtOC8Rni", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424692&Signature=A3e%2FNdGFEcoJrC50Cl1QJdp4vyuRXzYj3rP9Iwn%2F50jQamoXpWTto2LpsHhBehAI3uOMa%2F0EZAXBOsFpoMY%2F4gKZzD19INxr7gSdiBCwV3n78RSx72IwxJWT%2FrQFLc5LqYrfyhYZwA3RbXE0Rg7%2Ba%2BaCBYWZfO6Gf%2BJo7bMuxJ2KdvUp7KrHJsakVx8NR02FFuAwR9sksywzOJDU0EA36q48S%2Ffwge1CpYC0auKTyw3EFA4fQdko", "https://vtbehaviour.commondatastorage.googleapis.com/7568b78ad94202cc4e547c84d56faccb2a9033394945a2abdd1e7defe1b23221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424847&Signature=W%2FpZoFBjX%2F6dqAOlg3u1Cr97bQWQ5vr5g8vo3MlqlHoQB2fgvDONRPJ9HyV3Y%2Fj3bm%2FptwemAyKKhjIjfQu1%2BpjTODHdlc7%2B%2B7CQ9HFpIhSzlPv%2BFz041BPyB4A3V1ai5cjuLZB%2FO1hgwEtS3zskowTaVI7ee6LCl6DfqDdq%2FO8RBndMZ9%2BQdoDiH0Gn3DBe3MHzxR9qkEXls3ok5PqQz2faoqkRtmJp7mflsROL", "https://vtbehaviour.commondatastorage.googleapis.com/7310a1ce46f4c4280e18403044cc3fa3dcbcac3646313096d2e8da082d654951_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424873&Signature=UnLgHEfZz0S4bAc6cvQERC43J5aqbCUMvclTqtNQnkkUqr9x%2FGo0pkzzwsOlTksbn0qypBlpybA9XNQXcuQZlbt3MJrTrbNVqIWdAw22G589Fet6989gCoAmRKEX8dYX1C3%2FBPY4JErzHWREsqzA3aefjsOBRlQ2bEHFnmaaIgCwNcAp79YhAOITJ%2Bhc1FCaMl1hFlkeQ3tgSd%2BJauHkHpGHtktntEv90Mx9p614FUG2ybNPNrz%2B" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 365, "FileHash-SHA1": 113, "FileHash-SHA256": 302, "IPv4": 324, "URL": 261, "domain": 214, "hostname": 464 }, "indicator_count": 2043, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fde1e9d38578f83f2f07a", "name": "Research part 2 * CAPE Sandbox", "description": "[sample of malware: PCBioUnlock-Setup-x64, for MS Windows, has been found on a server in the Czech Republic and is being investigated by the UK's National Security Agency].", "modified": "2026-05-22T04:39:58.097000", "created": "2026-05-22T04:39:58.097000", "tags": [ "new roman", "hebrew", "arabic", "vietnamese", "greek", "baltic", "times new", "roman", "calibri", "light", "default", "strong", "cname", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "accept", "shutdown", "guard", "pe file", "windows", "sample", "reads", "performs dns", "network info", "processes extra", "pe32", "intel", "delphi", "code", "persistence", "malicious", "next", "member", "p11778505315", "p2404", "host", "library", "thrown", "class", "null", "example", "loop", "syst", "none rticon", "address virtual", "sha1", "locale", "download" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/528935b574adacd37fb70a08c57e923187a88f0048edf13955c17b4ac9b6254f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424576&Signature=HqCaWUtXVqO0qP7OW%2FasttQekub43IxOpVwuNpnAqqHt5pD2k3CeW8D0ZuOjDsOkw4LBA4QQbqNJ8uF0UmEbac%2BHKOyP%2FCf%2B08D7aM0iFPanIPuqxCoSiRjjD1C759Ig9GSDC64CKskQd91puLrezrVudARsxDdIPAJCyAwGDb6Y3L7HlOj5cCucn6k6hA6AetITD1fiTojQEV%2BX9%2B9Wp0Qxeje2jmCgoPHcO2fWBMKX7UXSmC", "https://vtbehaviour.commondatastorage.googleapis.com/53bc6ed33565fe532d0ab10f9fafd2a18de06f9af32276627523a042a5205976_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424635&Signature=d4%2F4WzkSDNNN7zJVhJx9Csbghc4NumQIzYVmFLhdk983TTEjbNgBJJMGjkeXRWH1WR1mZnFiQQ7Mgo1L3lMAyghZch23i36rYC7Da3ktAuDVWv8dZ1P%2B%2FKBPfkOwkRmp9jF96vpOsqtTUoktlD4F%2Bu%2FSt6dwBXDN7ZBz%2F2Aau%2B0QQ4m11sl9wLFOuu1xCjfQKL%2FWdqAda78SKAgiFEx5VZhvpCqaQBEkgpvyGqqtOC8Rni", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424692&Signature=A3e%2FNdGFEcoJrC50Cl1QJdp4vyuRXzYj3rP9Iwn%2F50jQamoXpWTto2LpsHhBehAI3uOMa%2F0EZAXBOsFpoMY%2F4gKZzD19INxr7gSdiBCwV3n78RSx72IwxJWT%2FrQFLc5LqYrfyhYZwA3RbXE0Rg7%2Ba%2BaCBYWZfO6Gf%2BJo7bMuxJ2KdvUp7KrHJsakVx8NR02FFuAwR9sksywzOJDU0EA36q48S%2Ffwge1CpYC0auKTyw3EFA4fQdko", "https://vtbehaviour.commondatastorage.googleapis.com/7568b78ad94202cc4e547c84d56faccb2a9033394945a2abdd1e7defe1b23221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424847&Signature=W%2FpZoFBjX%2F6dqAOlg3u1Cr97bQWQ5vr5g8vo3MlqlHoQB2fgvDONRPJ9HyV3Y%2Fj3bm%2FptwemAyKKhjIjfQu1%2BpjTODHdlc7%2B%2B7CQ9HFpIhSzlPv%2BFz041BPyB4A3V1ai5cjuLZB%2FO1hgwEtS3zskowTaVI7ee6LCl6DfqDdq%2FO8RBndMZ9%2BQdoDiH0Gn3DBe3MHzxR9qkEXls3ok5PqQz2faoqkRtmJp7mflsROL", "https://vtbehaviour.commondatastorage.googleapis.com/7310a1ce46f4c4280e18403044cc3fa3dcbcac3646313096d2e8da082d654951_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424873&Signature=UnLgHEfZz0S4bAc6cvQERC43J5aqbCUMvclTqtNQnkkUqr9x%2FGo0pkzzwsOlTksbn0qypBlpybA9XNQXcuQZlbt3MJrTrbNVqIWdAw22G589Fet6989gCoAmRKEX8dYX1C3%2FBPY4JErzHWREsqzA3aefjsOBRlQ2bEHFnmaaIgCwNcAp79YhAOITJ%2Bhc1FCaMl1hFlkeQ3tgSd%2BJauHkHpGHtktntEv90Mx9p614FUG2ybNPNrz%2B" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 365, "FileHash-SHA1": 113, "FileHash-SHA256": 302, "IPv4": 324, "URL": 261, "domain": 214, "hostname": 464 }, "indicator_count": 2043, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fde1b366253c296281156", "name": "Research part 2 * CAPE Sandbox", "description": "[sample of malware: PCBioUnlock-Setup-x64, for MS Windows, has been found on a server in the Czech Republic and is being investigated by the UK's National Security Agency].", "modified": "2026-05-22T04:39:55.100000", "created": "2026-05-22T04:39:55.100000", "tags": [ "new roman", "hebrew", "arabic", "vietnamese", "greek", "baltic", "times new", "roman", "calibri", "light", "default", "strong", "cname", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "accept", "shutdown", "guard", "pe file", "windows", "sample", "reads", "performs dns", "network info", "processes extra", "pe32", "intel", "delphi", "code", "persistence", "malicious", "next", "member", "p11778505315", "p2404", "host", "library", "thrown", "class", "null", "example", "loop", "syst", "none rticon", "address virtual", "sha1", "locale", "download" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/528935b574adacd37fb70a08c57e923187a88f0048edf13955c17b4ac9b6254f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424576&Signature=HqCaWUtXVqO0qP7OW%2FasttQekub43IxOpVwuNpnAqqHt5pD2k3CeW8D0ZuOjDsOkw4LBA4QQbqNJ8uF0UmEbac%2BHKOyP%2FCf%2B08D7aM0iFPanIPuqxCoSiRjjD1C759Ig9GSDC64CKskQd91puLrezrVudARsxDdIPAJCyAwGDb6Y3L7HlOj5cCucn6k6hA6AetITD1fiTojQEV%2BX9%2B9Wp0Qxeje2jmCgoPHcO2fWBMKX7UXSmC", "https://vtbehaviour.commondatastorage.googleapis.com/53bc6ed33565fe532d0ab10f9fafd2a18de06f9af32276627523a042a5205976_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424635&Signature=d4%2F4WzkSDNNN7zJVhJx9Csbghc4NumQIzYVmFLhdk983TTEjbNgBJJMGjkeXRWH1WR1mZnFiQQ7Mgo1L3lMAyghZch23i36rYC7Da3ktAuDVWv8dZ1P%2B%2FKBPfkOwkRmp9jF96vpOsqtTUoktlD4F%2Bu%2FSt6dwBXDN7ZBz%2F2Aau%2B0QQ4m11sl9wLFOuu1xCjfQKL%2FWdqAda78SKAgiFEx5VZhvpCqaQBEkgpvyGqqtOC8Rni", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424692&Signature=A3e%2FNdGFEcoJrC50Cl1QJdp4vyuRXzYj3rP9Iwn%2F50jQamoXpWTto2LpsHhBehAI3uOMa%2F0EZAXBOsFpoMY%2F4gKZzD19INxr7gSdiBCwV3n78RSx72IwxJWT%2FrQFLc5LqYrfyhYZwA3RbXE0Rg7%2Ba%2BaCBYWZfO6Gf%2BJo7bMuxJ2KdvUp7KrHJsakVx8NR02FFuAwR9sksywzOJDU0EA36q48S%2Ffwge1CpYC0auKTyw3EFA4fQdko", "https://vtbehaviour.commondatastorage.googleapis.com/7568b78ad94202cc4e547c84d56faccb2a9033394945a2abdd1e7defe1b23221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424847&Signature=W%2FpZoFBjX%2F6dqAOlg3u1Cr97bQWQ5vr5g8vo3MlqlHoQB2fgvDONRPJ9HyV3Y%2Fj3bm%2FptwemAyKKhjIjfQu1%2BpjTODHdlc7%2B%2B7CQ9HFpIhSzlPv%2BFz041BPyB4A3V1ai5cjuLZB%2FO1hgwEtS3zskowTaVI7ee6LCl6DfqDdq%2FO8RBndMZ9%2BQdoDiH0Gn3DBe3MHzxR9qkEXls3ok5PqQz2faoqkRtmJp7mflsROL", "https://vtbehaviour.commondatastorage.googleapis.com/7310a1ce46f4c4280e18403044cc3fa3dcbcac3646313096d2e8da082d654951_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424873&Signature=UnLgHEfZz0S4bAc6cvQERC43J5aqbCUMvclTqtNQnkkUqr9x%2FGo0pkzzwsOlTksbn0qypBlpybA9XNQXcuQZlbt3MJrTrbNVqIWdAw22G589Fet6989gCoAmRKEX8dYX1C3%2FBPY4JErzHWREsqzA3aefjsOBRlQ2bEHFnmaaIgCwNcAp79YhAOITJ%2Bhc1FCaMl1hFlkeQ3tgSd%2BJauHkHpGHtktntEv90Mx9p614FUG2ybNPNrz%2B" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 365, "FileHash-SHA1": 113, "FileHash-SHA256": 302, "IPv4": 324, "URL": 261, "domain": 214, "hostname": 464 }, "indicator_count": 2043, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d1396bb42208f8aa25b8ae", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-05-04T15:01:49.491000", "created": "2026-04-04T16:16:43.680000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9657, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d1395ab63bf8e8d2c384eb", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-05-04T15:01:49.491000", "created": "2026-04-04T16:16:26.128000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9657, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f5da51c10813dfbe282732", "name": "CAPE Sandbox cellular clone", "description": "", "modified": "2026-05-02T14:15:36.554000", "created": "2026-05-02T11:04:49.540000", "tags": [ "tls thumbprint" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69f5c7edeaed8737d4ed86d3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 125, "FileHash-MD5": 432, "FileHash-SHA1": 108, "FileHash-SHA256": 294, "URL": 458, "domain": 148, "hostname": 437 }, "indicator_count": 2002, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f5da51d5739f612fc46ae3", "name": "CAPE Sandbox cellular clone", "description": "", "modified": "2026-05-02T14:15:36.065000", "created": "2026-05-02T11:04:49.698000", "tags": [ "tls thumbprint" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69f5c7edeaed8737d4ed86d3", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 126, "FileHash-MD5": 432, "FileHash-SHA1": 108, "FileHash-SHA256": 294, "URL": 459, "domain": 148, "hostname": 437 }, "indicator_count": 2004, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f5da5142629b698a6b8b62", "name": "CAPE Sandbox cellular clone", "description": "", "modified": "2026-05-02T13:50:03.475000", "created": "2026-05-02T11:04:49.537000", "tags": [ "tls thumbprint" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69f5c7edeaed8737d4ed86d3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 125, "FileHash-MD5": 432, "FileHash-SHA1": 108, "FileHash-SHA256": 294, "URL": 458, "domain": 148, "hostname": 437 }, "indicator_count": 2002, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f5da5130529fa50233c8ff", "name": "CAPE Sandbox cellular clone", "description": "", "modified": "2026-05-02T11:04:49.485000", "created": "2026-05-02T11:04:49.485000", "tags": [ "tls thumbprint" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69f5c7edeaed8737d4ed86d3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 125, "FileHash-MD5": 432, "FileHash-SHA1": 108, "FileHash-SHA256": 294, "URL": 457, "domain": 148, "hostname": 437 }, "indicator_count": 2001, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f5c7edeaed8737d4ed86d3", "name": "CAPE Sandbox", "description": "Cannot add TLP.", "modified": "2026-05-02T10:55:44.068000", "created": "2026-05-02T09:46:21.469000", "tags": [ "tls thumbprint" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 125, "FileHash-MD5": 432, "FileHash-SHA1": 108, "FileHash-SHA256": 294, "URL": 457, "domain": 148, "hostname": 437 }, "indicator_count": 2001, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c6fe0fbcce0933bbd18609", "name": "VirusTotal report\n for executable.exe", "description": "A sample of malware detected by security firm Yara has been published by the BBC's Security Research Unit on the 27th of March, and is available to download at www.Yara.com.", "modified": "2026-04-26T22:28:08.884000", "created": "2026-03-27T22:00:47.142000", "tags": [ "yara", "mitre attack", "network info", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "report", "guest system", "stealc" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/93c8d17cfc1d37198ec68235361328afa953b3986bdd2be8cdce1b3908e32a9c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774649073&Signature=AoE4M%2Bbk8z1dvAQDE71siYrNnSPppxkrJ48W1DDJD9TgbcAJYo7Cw8Ft3fK9nskedxHCtUXq0ClgXN1m4L6a11RhjocW0Ucif3UJFwkMkSAH4oNlAdG7tdDolwUyXabfOp6vbQh7zXP39FeRvoiv5herWATPRVvB22cvlzoKOSUvsCh0t33HjTlTtj9Mw5k8jau29FfpOL7L0ZjLhP39XZ3eVxY10wiXpvcRfUtIZ0oQwIgXCBceigE7ka4MBYoXvjC5" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 7, "domain": 1, "hostname": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c64acb504d0b8985cf8821", "name": "VirusTotal report\n for executable.exe", "description": "", "modified": "2026-04-26T09:13:38.045000", "created": "2026-03-27T09:15:55.410000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 7, "domain": 1, "hostname": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c647ad6940228b6bb68603", "name": "Yomi Hunter Sandbox", "description": "Malicious", "modified": "2026-04-26T08:04:27.318000", "created": "2026-03-27T09:02:37.017000", "tags": [ "categories", "xecj", "toggle", "users", "default", "xf4a", "windows", "xc0x88d xc0x88d", "xf4xff xf4xff", "x83xc4 x83xc4", "first", "path", "dynamicloader", "virustotal", "winsta", "mark", "stub", "class", "crypt32", "hotkey", "desktop", "false", "tools", "updater", "winmm", "enterprise", "service", "close" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/93c8d17cfc1d37198ec68235361328afa953b3986bdd2be8cdce1b3908e32a9c_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774602117&Signature=GJRAxOKy5Ti19O5danDm6jZVf9i%2B1jkONiR5EbazB5bXMI%2B40CKT98OHvQNxwneyABK7Ie%2F09NbN5O4flZk3YAHeYRny4U%2BidCF5SA0rEaF3xpXDkcv4soaYTBerX8cN6%2BtKozSPuFaEHxO1r5JJUV%2B1TPmM3vUMLIxZuFGgyhYnjMHPoAS5zBDJ%2BYgkK4flsQLHi3KJ34ZsMMGOac2o4mg0FKU5PvGwttXsaLC308cyAlSUA" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 65, "FileHash-MD5": 220, "FileHash-SHA1": 144, "FileHash-SHA256": 105, "BitcoinAddress": 7, "URL": 128, "hostname": 84, "email": 2 }, "indicator_count": 755, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c6475aa191decaebc7a716", "name": "Yomi Hunter Sandbox", "description": "Malicious", "modified": "2026-04-26T08:04:27.318000", "created": "2026-03-27T09:01:14.165000", "tags": [ "categories", "xecj", "toggle", "users", "default", "xf4a", "windows", "xc0x88d xc0x88d", "xf4xff xf4xff", "x83xc4 x83xc4", "first", "path", "dynamicloader", "virustotal", "winsta", "mark", "stub", "class", "crypt32", "hotkey", "desktop", "false", "tools", "updater", "winmm", "enterprise", "service", "close" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/93c8d17cfc1d37198ec68235361328afa953b3986bdd2be8cdce1b3908e32a9c_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774602117&Signature=GJRAxOKy5Ti19O5danDm6jZVf9i%2B1jkONiR5EbazB5bXMI%2B40CKT98OHvQNxwneyABK7Ie%2F09NbN5O4flZk3YAHeYRny4U%2BidCF5SA0rEaF3xpXDkcv4soaYTBerX8cN6%2BtKozSPuFaEHxO1r5JJUV%2B1TPmM3vUMLIxZuFGgyhYnjMHPoAS5zBDJ%2BYgkK4flsQLHi3KJ34ZsMMGOac2o4mg0FKU5PvGwttXsaLC308cyAlSUA" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 65, "FileHash-MD5": 220, "FileHash-SHA1": 144, "FileHash-SHA256": 105, "BitcoinAddress": 7, "URL": 128, "hostname": 84, "email": 2 }, "indicator_count": 755, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c640f289326bbc6a4a878f", "name": "VirusTotal Windows Sandbox", "description": "", "modified": "2026-04-26T08:04:27.318000", "created": "2026-03-27T08:33:54.223000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 4, "FileHash-SHA256": 10, "URL": 14, "domain": 2, "hostname": 4 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b5d3a6f42c76f35980da09", "name": "CAPE Sandbox- TLP: Amber and Strict", "description": "Following.", "modified": "2026-04-13T21:01:18.278000", "created": "2026-03-14T21:31:18.765000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 78, "FileHash-SHA1": 95, "FileHash-SHA256": 86, "domain": 40, "hostname": 119, "URL": 141 }, "indicator_count": 559, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "48 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69aa53582de113e05d102700", "name": "CORRUPT.", "description": "the only wizard I like is Harry", "modified": "2026-04-05T07:38:31.088000", "created": "2026-03-06T04:08:56.281000", "tags": [ "inno setup", "linker", "pe32", "intel", "ms windows", "win32 exe", "pecompact", "pe32 installer", "module", "professional", "delphi" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1181, "FileHash-SHA1": 1182, "FileHash-SHA256": 3383, "URL": 218, "domain": 59, "hostname": 646, "email": 1 }, "indicator_count": 6670, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "56 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e36a79b52e21105f258e6e", "name": "Vasyaperskyi from Russia mrt.exe urls in memory", "description": "VirusTotal Graph (miniuser, 2025)", "modified": "2025-11-05T07:02:18.726000", "created": "2025-10-06T07:06:33.301000", "tags": [ "entity" ], "references": [ "https://www.virustotal.com/graph/embed/g421f9bbfc29448f8acd6e6e0eaa616e332de270d8f5c4b34bcfc69f325a7bbc7?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 86, "FileHash-MD5": 43, "FileHash-SHA1": 43, "FileHash-SHA256": 135, "domain": 6, "hostname": 39 }, "indicator_count": 352, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c8c74dd728963b54491100", "name": "Creates Skynet Files ?", "description": "I\u2019ve been investigating a victims iPhone , after performing a test a text came through with a a message with Donald Trump pointy and the phone #associated with blanks to fill in. Message: \nWELCOME TO THE GOLDEN AGE OF AMERICA!\n \nPresident Trump launched this number to stay directly connected with YOU, THE AMERICAN PEOPLE. We'll share important updates and ways you can get involved.\n \nAMERICA IS BACK! LET'S GET TO WORK!\n \nClick this link now and fill out the form so we can see your messages. (#45470)", "modified": "2025-10-16T01:04:49.255000", "created": "2025-09-16T02:11:25.219000", "tags": [ "united", "unknown aaaa", "passive dns", "urls", "search", "record value", "certificate", "hostname add", "present may", "present apr", "present jul", "present aug", "present sep", "present jun", "name servers", "title", "encrypt", "ipv4", "url analysis", "files", "location united", "america flag", "domain name", "moved", "domain", "cookie", "ipv4 add", "a domains", "hostname", "hash avast", "avg clamav", "msdefender may", "process32nextw", "read c", "medium", "module load", "t1129", "ms windows", "intel", "spynet", "write", "delphi", "win32", "observer", "script urls", "ip address", "modern asset", "date", "port", "destination", "pe export", "ordinal name", "address", "t pain", "domains", "script domains", "download", "meta", "appstorio", "apple app", "store", "gmt max", "age72000 path", "unknown cname", "domain add", "gmt content", "next associated", "trojan", "worm", "te hash", "avast avg", "accept ch", "unknown ns", "unknown soa", "x pcrew", "canada unknown", "mtb may", "observed dns", "query", "json", "delete", "delete c", "virtool", "defender", "malware", "next", "suspicious", "x cache", "cryptobit", "title error", "reverse dns", "dynamicloader", "xadxb3x1d", "xd7xacx87xd7xba", "x92r", "hxa6cxafxdexdaz", "x81xbcxa0", "x8fvx7fxc1px87f", "xaerx93lx88txc5", "xfex04o", "xf0ux0fxee", "tofsee", "grum", "stream", "powershell", "win64", "skynet" ], "references": [ "in.community.com", "RansomWin32Betisrypt CodeOverlap RansomWin32Nobig CodeOverlap", "TrojanDownloaderWin64Carberp CodeOverlap", "cdn.wallets.cryptobit.live \u2022 kryptonite.cryptobit.live \u2022 https://cryptobit" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Backdoor:Win32/Berbew", "display_name": "Backdoor:Win32/Berbew", "target": "/malware/Backdoor:Win32/Berbew" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 815, "domain": 411, "URL": 1874, "FileHash-MD5": 112, "FileHash-SHA1": 63, "email": 7, "FileHash-SHA256": 309, "SSLCertFingerprint": 5 }, "indicator_count": 3596, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687f4b4cfd8643f70fc2c85c", "name": "?\u00bf?\u00bf?", "description": "", "modified": "2025-08-21T08:03:34.998000", "created": "2025-07-22T08:26:52.598000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "hostname", "files domain", "files related", "pulses otx", "pulses", "virustotal", "server", "date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "port", "destination", "medium", "regopenkeyexw", "windows", "windows server", "win32", "show", "search", "module load", "dock", "unknown", "delphi", "observer", "stream", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 119, "hostname": 905, "URL": 675, "email": 1, "FileHash-SHA256": 873, "FileHash-MD5": 83, "FileHash-SHA1": 80, "SSLCertFingerprint": 2 }, "indicator_count": 2738, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "283 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686cb7673e4d5a0067758fd7", "name": "2nd Attempt- VirusTotal Ransomware and Device destruction Attack", "description": "I hope this generates results. I continue to be unable to annotate. Witnesses attack and 5 very relevant graphs taken. \n#phishing #malware #trojan #ransom #virustotal", "modified": "2025-08-07T05:01:52.697000", "created": "2025-07-08T06:15:03.501000", "tags": [ "no expiration", "filehashmd5", "filehashsha1", "filehashsha256", "iocs", "review iocs", "pulse show", "search", "type indicator", "role title", "expiration", "url http", "url https", "text drag", "drop or", "enter source", "url or", "hostname", "ipv4", "related pulses", "showing", "entries", "drop", "domain", "enter", "extract", "browse to", "domain xn", "select file", "pdf report", "pcap", "stix", "openioc", "indicator role", "pulses url" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 840, "FileHash-SHA1": 725, "FileHash-SHA256": 863, "URL": 1663, "SSLCertFingerprint": 17, "domain": 520, "hostname": 734, "email": 11 }, "indicator_count": 5373, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686cb765dc6737fd1e882630", "name": "2nd Attempt- VirusTotal Ransomware and Device destruction Attack", "description": "I hope this generates results. I continue to be unable to annotate. Witnesses attack and 5 very relevant graphs taken. \n#phishing #malware #trojan #ransom #virustotal", "modified": "2025-08-07T05:01:52.697000", "created": "2025-07-08T06:15:01.296000", "tags": [ "no expiration", "filehashmd5", "filehashsha1", "filehashsha256", "iocs", "review iocs", "pulse show", "search", "type indicator", "role title", "expiration", "url http", "url https", "text drag", "drop or", "enter source", "url or", "hostname", "ipv4", "related pulses", "showing", "entries", "drop", "domain", "enter", "extract", "browse to", "domain xn", "select file", "pdf report", "pcap", "stix", "openioc", "indicator role", "pulses url" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 840, "FileHash-SHA1": 725, "FileHash-SHA256": 863, "URL": 1663, "SSLCertFingerprint": 17, "domain": 520, "hostname": 734, "email": 11 }, "indicator_count": 5373, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "450 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c52fe96ef88583efb8484f", "name": "Compromised Host - Malwarebytes | Injector | Simba | System Hijacking", "description": "", "modified": "2024-09-15T07:02:25.374000", "created": "2024-08-21T00:08:09.738000", "tags": [ "historical ssl", "threat network", "infrastructure", "referrer", "adversaries", "information", "win32diskdrive", "win32processor", "windows", "registry run", "registers", "flow t1574", "dll sideloading", "powershell", "window", "modify registry", "e1203 windows", "catalog tree", "analysis ob0001", "b0001 memory", "b0002 guard", "virtual machine", "detection b0009", "check registry", "check", "cnamazon rsa", "m02 oamazon", "number", "cus subject", "data", "m01 oamazon", "dns resolutions", "ip traffic", "memory pattern", "domains", "hashes", "user", "peexe c", "text c", "menu c", "menuprograms c", "games c", "text", "ttf c", "file system", "defender c", "desktop", "analyzer paste", "iocs", "hostnames", "url https", "samples", "generic malware", "tag count", "tue apr", "analyzer threat", "url summary", "ip summary", "summary", "sample", "first", "generic", "united", "mail spammer", "host", "cins active", "poor reputation", "detection list", "ip address", "blacklist", "malicious host", "team http", "cisco umbrella", "site", "safe site", "alexa top", "million", "fuery", "malware", "presenoker", "team", "riskware", "artemis", "passive dns", "as44273 host", "urls", "scan endpoints", "all scoreblue", "pulse pulses", "files", "domain", "files ip", "unknown", "germany unknown", "bq aug", "virtool", "ipv4", "main", "related pulses", "file samples", "files matching", "show", "search", "date hash", "showing", "next", "win32", "nxdomain", "ip related", "gmt content", "type", "x frame", "sameorigin x", "xss protection", "encrypt", "asnone united", "title error", "pulse submit", "url analysis", "date", "status", "creation date", "name servers", "hostname", "urls http", "msie", "windows nt", "slcc2", "media center", "suspicious", "verisign", "simda", "copy", "possible", "class", "write", "code", "win32 exe", "available from", "services", "registry tech", "server", "registrar abuse", "dnssec", "registrant name", "ninite", "dns replication", "technology", "bq jun", "bq jul", "domain status", "domain name", "contact email", "contact phone", "full name", "algorithm", "v3 serial", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "avast avg", "entries", "exclusionpath", "created", "shell commands", "processes tree", "silent log", "norestart", "k wersvcgroup", "pss s", "k wsappx", "signals mutexes", "mutexes", "global", "synchronization", "dataset", "system property", "lookups", "select index", "macaddress", "adaptertypeid0", "win32bios", "index0", "where index0", "select uuid", "self-delete", "persistence", "macro-powershell", "long-sleeps", "calls-wmi", "checks-bios", "checks-disk-space", "checks-memory-available", "checks-network-adapters", "checks-usb-bus", "checks-user-input", "crypto", "detect-debug-environment", "dos batch", "file type", "pe resource", "malicious", "socks5systemz", "nushell", "autodiscovery", "cookietheft", "twitter ad", "dos batch file", "t1064 executes", "mitre att", "ta0002 command", "t1059 uses", "dlls privilege", "dlls defense", "evasion ta0005" ], "references": [ "Researched: Malwarebytes.Premium.v5.1.6.RePack.by.xetrin.zip", "MALWARE BANKER TROJAN EVADER Researched: block.malwarebytes.com", "Crowdsourced IDS rules: Matches rule (port_scan) UDP portsweep", "Crowdsourced Sigma: Matches rule Registry Persistence via Service in Safe Mode by frack113", "Crowdsourced Sigma: Matches rule Hiding Files with Attrib.exe by Sami Ruohonen | Matches rule Non Interactive PowerShell Process Spawned by Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements", "Crowdsourced Sigma: Matches rule New Root Certificate Installed Via Certutil.EXE by oscd.community, @redcanary, Zach Stanford @svch0st", "Crowdsourced Sigma: Matches rule Powershell Defender Exclusion by Florian Roth (Nextron Systems)", "Crowdsourced Sigma: Matches rule Windows Defender Exclusions Added - PowerShell by Tim Rauch, Elastic (idea)", "Crowdsourced Sigma: Matches rule Potential Persistence Via Custom Protocol Handler by Nasreddine Bencherchali (Nextron Systems)", "VirTool:Win32/Injector.gen!BQ - FileHash-SHA256 e3244c33eac9709cac1840b1b131ea25bb7c32652c7badbefe94a06038e2778e", "Antivirus Detections: Win.Trojan.Carberp-6809884-0 , VirTool:Win32/Injector.gen!BQ Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 Yara Detections generic_shellcode_downloader Alerts injection_inter_process injection_create_remote_thread cape_detected_threat", "IDS Detections: Backdoor.Win32.Shiz.ivr Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "IDS Detections: Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0", "Yara Detections: generic_shellcode_downloader", "Alerts: injection_inter_process injection_create_remote_thread cape_detected_threat cape_extracted_content", "Silent Uninstalling.cmd | DosS | PUA.HackTool | FileHash-SHA256 26b6f985a431cbb246f62f6058958990bb468a79487c502e5815e78d6e88fe53" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "Win.Trojan.Istbar-231", "display_name": "Win.Trojan.Istbar-231", "target": null }, { "id": "ALF:JASYP:PUAWin32/Bibado!atmn", "display_name": "ALF:JASYP:PUAWin32/Bibado!atmn", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Backdoor.Win32.Shiz.ivr", "display_name": "Backdoor.Win32.Shiz.ivr", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Win.Trojan.Agent-316117", "display_name": "Win.Trojan.Agent-316117", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": "66bf266b6fcd9faea7066e4a", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1848, "FileHash-MD5": 1826, "FileHash-SHA1": 1296, "domain": 152, "hostname": 265, "URL": 132, "email": 2 }, "indicator_count": 5521, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "623 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bf266b6fcd9faea7066e4a", "name": "Malwarebytes - Compromised Host | Injector | Simba | System Hijacking", "description": "\"Bundled Files: Malwarebytes.Premium.prem.com:\nMalicious noses sound in Malwarebytes with capabilities to infect entire system, bios (all). Complete CnC. High priority malicious.\nALF:JASYP:PUAWin32/Bibado!atmn\nBackdoor.Win32.Shiz.ivr\nGeneric\nSimda\nVirTool:Win32/Injector.gen!BQ\nWin.Trojan.Agent-316098\nWin.Trojan.Agent-316117", "modified": "2024-09-15T07:02:25.374000", "created": "2024-08-16T10:14:03.907000", "tags": [ "historical ssl", "threat network", "infrastructure", "referrer", "adversaries", "information", "win32diskdrive", "win32processor", "windows", "registry run", "registers", "flow t1574", "dll sideloading", "powershell", "window", "modify registry", "e1203 windows", "catalog tree", "analysis ob0001", "b0001 memory", "b0002 guard", "virtual machine", "detection b0009", "check registry", "check", "cnamazon rsa", "m02 oamazon", "number", "cus subject", "data", "m01 oamazon", "dns resolutions", "ip traffic", "memory pattern", "domains", "hashes", "user", "peexe c", "text c", "menu c", "menuprograms c", "games c", "text", "ttf c", "file system", "defender c", "desktop", "analyzer paste", "iocs", "hostnames", "url https", "samples", "generic malware", "tag count", "tue apr", "analyzer threat", "url summary", "ip summary", "summary", "sample", "first", "generic", "united", "mail spammer", "host", "cins active", "poor reputation", "detection list", "ip address", "blacklist", "malicious host", "team http", "cisco umbrella", "site", "safe site", "alexa top", "million", "fuery", "malware", "presenoker", "team", "riskware", "artemis", "passive dns", "as44273 host", "urls", "scan endpoints", "all scoreblue", "pulse pulses", "files", "domain", "files ip", "unknown", "germany unknown", "bq aug", "virtool", "ipv4", "main", "related pulses", "file samples", "files matching", "show", "search", "date hash", "showing", "next", "win32", "nxdomain", "ip related", "gmt content", "type", "x frame", "sameorigin x", "xss protection", "encrypt", "asnone united", "title error", "pulse submit", "url analysis", "date", "status", "creation date", "name servers", "hostname", "urls http", "msie", "windows nt", "slcc2", "media center", "suspicious", "verisign", "simda", "copy", "possible", "class", "write", "code", "win32 exe", "available from", "services", "registry tech", "server", "registrar abuse", "dnssec", "registrant name", "ninite", "dns replication", "technology", "bq jun", "bq jul", "domain status", "domain name", "contact email", "contact phone", "full name", "algorithm", "v3 serial", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "avast avg", "entries", "exclusionpath", "created", "shell commands", "processes tree", "silent log", "norestart", "k wersvcgroup", "pss s", "k wsappx", "signals mutexes", "mutexes", "global", "synchronization", "dataset", "system property", "lookups", "select index", "macaddress", "adaptertypeid0", "win32bios", "index0", "where index0", "select uuid", "self-delete", "persistence", "macro-powershell", "long-sleeps", "calls-wmi", "checks-bios", "checks-disk-space", "checks-memory-available", "checks-network-adapters", "checks-usb-bus", "checks-user-input", "crypto", "detect-debug-environment", "dos batch", "file type", "pe resource", "malicious", "socks5systemz", "nushell", "autodiscovery", "cookietheft", "twitter ad", "dos batch file", "t1064 executes", "mitre att", "ta0002 command", "t1059 uses", "dlls privilege", "dlls defense", "evasion ta0005" ], "references": [ "Researched: Malwarebytes.Premium.v5.1.6.RePack.by.xetrin.zip", "MALWARE BANKER TROJAN EVADER Researched: block.malwarebytes.com", "Crowdsourced IDS rules: Matches rule (port_scan) UDP portsweep", "Crowdsourced Sigma: Matches rule Registry Persistence via Service in Safe Mode by frack113", "Crowdsourced Sigma: Matches rule Hiding Files with Attrib.exe by Sami Ruohonen | Matches rule Non Interactive PowerShell Process Spawned by Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements", "Crowdsourced Sigma: Matches rule New Root Certificate Installed Via Certutil.EXE by oscd.community, @redcanary, Zach Stanford @svch0st", "Crowdsourced Sigma: Matches rule Powershell Defender Exclusion by Florian Roth (Nextron Systems)", "Crowdsourced Sigma: Matches rule Windows Defender Exclusions Added - PowerShell by Tim Rauch, Elastic (idea)", "Crowdsourced Sigma: Matches rule Potential Persistence Via Custom Protocol Handler by Nasreddine Bencherchali (Nextron Systems)", "VirTool:Win32/Injector.gen!BQ - FileHash-SHA256 e3244c33eac9709cac1840b1b131ea25bb7c32652c7badbefe94a06038e2778e", "Antivirus Detections: Win.Trojan.Carberp-6809884-0 , VirTool:Win32/Injector.gen!BQ Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 Yara Detections generic_shellcode_downloader Alerts injection_inter_process injection_create_remote_thread cape_detected_threat", "IDS Detections: Backdoor.Win32.Shiz.ivr Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "IDS Detections: Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0", "Yara Detections: generic_shellcode_downloader", "Alerts: injection_inter_process injection_create_remote_thread cape_detected_threat cape_extracted_content", "Silent Uninstalling.cmd | DosS | PUA.HackTool | FileHash-SHA256 26b6f985a431cbb246f62f6058958990bb468a79487c502e5815e78d6e88fe53" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "Win.Trojan.Istbar-231", "display_name": "Win.Trojan.Istbar-231", "target": null }, { "id": "ALF:JASYP:PUAWin32/Bibado!atmn", "display_name": "ALF:JASYP:PUAWin32/Bibado!atmn", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Backdoor.Win32.Shiz.ivr", "display_name": "Backdoor.Win32.Shiz.ivr", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Win.Trojan.Agent-316117", "display_name": "Win.Trojan.Agent-316117", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1848, "FileHash-MD5": 1826, "FileHash-SHA1": 1296, "domain": 152, "hostname": 265, "URL": 132, "email": 2 }, "indicator_count": 5521, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "623 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a0d760557004620f409f", "name": "Kelowna Mental Health", "description": "", "modified": "2023-12-06T16:27:03.467000", "created": "2023-12-06T16:27:03.467000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 715, "CVE": 20, "FileHash-MD5": 8943, "FileHash-SHA256": 37374, "FileHash-SHA1": 8939, "JA3": 11, "domain": 497, "URL": 408, "email": 38, "FilePath": 1 }, "indicator_count": 56946, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e9896df7ea5c41750e6aac", "name": "Kelowna Mental Health", "description": "", "modified": "2023-10-14T00:01:59.166000", "created": "2023-08-26T05:11:09.863000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 785, "domain": 550, "email": 38, "URL": 511, "CVE": 21, "FileHash-MD5": 15725, "FileHash-SHA1": 15719, "FileHash-SHA256": 67914, "JA3": 11, "FilePath": 1 }, "indicator_count": 101275, "is_author": false, "is_subscribing": null, "subscriber_count": 88, "modified_text": "960 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "Crowdsourced IDS rules: Matches rule (port_scan) UDP portsweep", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://vtbehaviour.commondatastorage.googleapis.com/7568b78ad94202cc4e547c84d56faccb2a9033394945a2abdd1e7defe1b23221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424847&Signature=W%2FpZoFBjX%2F6dqAOlg3u1Cr97bQWQ5vr5g8vo3MlqlHoQB2fgvDONRPJ9HyV3Y%2Fj3bm%2FptwemAyKKhjIjfQu1%2BpjTODHdlc7%2B%2B7CQ9HFpIhSzlPv%2BFz041BPyB4A3V1ai5cjuLZB%2FO1hgwEtS3zskowTaVI7ee6LCl6DfqDdq%2FO8RBndMZ9%2BQdoDiH0Gn3DBe3MHzxR9qkEXls3ok5PqQz2faoqkRtmJp7mflsROL", "Yara Detections: generic_shellcode_downloader", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "MALWARE BANKER TROJAN EVADER Researched: block.malwarebytes.com", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Crowdsourced Sigma: Matches rule Registry Persistence via Service in Safe Mode by frack113", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "Alerts: cape_detected_threat", "TrojanDownloaderWin64Carberp CodeOverlap", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "This pulse is so huge it\u2019s a mess. Will break down.", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "https://n0paste.eu/UH6n5pD/", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "https://vtbehaviour.commondatastorage.googleapis.com/93c8d17cfc1d37198ec68235361328afa953b3986bdd2be8cdce1b3908e32a9c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774649073&Signature=AoE4M%2Bbk8z1dvAQDE71siYrNnSPppxkrJ48W1DDJD9TgbcAJYo7Cw8Ft3fK9nskedxHCtUXq0ClgXN1m4L6a11RhjocW0Ucif3UJFwkMkSAH4oNlAdG7tdDolwUyXabfOp6vbQh7zXP39FeRvoiv5herWATPRVvB22cvlzoKOSUvsCh0t33HjTlTtj9Mw5k8jau29FfpOL7L0ZjLhP39XZ3eVxY10wiXpvcRfUtIZ0oQwIgXCBceigE7ka4MBYoXvjC5", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "RansomWin32Betisrypt CodeOverlap RansomWin32Nobig CodeOverlap", "https://vtbehaviour.commondatastorage.googleapis.com/93c8d17cfc1d37198ec68235361328afa953b3986bdd2be8cdce1b3908e32a9c_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774602117&Signature=GJRAxOKy5Ti19O5danDm6jZVf9i%2B1jkONiR5EbazB5bXMI%2B40CKT98OHvQNxwneyABK7Ie%2F09NbN5O4flZk3YAHeYRny4U%2BidCF5SA0rEaF3xpXDkcv4soaYTBerX8cN6%2BtKozSPuFaEHxO1r5JJUV%2B1TPmM3vUMLIxZuFGgyhYnjMHPoAS5zBDJ%2BYgkK4flsQLHi3KJ34ZsMMGOac2o4mg0FKU5PvGwttXsaLC308cyAlSUA", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "https://vtbehaviour.commondatastorage.googleapis.com/53bc6ed33565fe532d0ab10f9fafd2a18de06f9af32276627523a042a5205976_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424635&Signature=d4%2F4WzkSDNNN7zJVhJx9Csbghc4NumQIzYVmFLhdk983TTEjbNgBJJMGjkeXRWH1WR1mZnFiQQ7Mgo1L3lMAyghZch23i36rYC7Da3ktAuDVWv8dZ1P%2B%2FKBPfkOwkRmp9jF96vpOsqtTUoktlD4F%2Bu%2FSt6dwBXDN7ZBz%2F2Aau%2B0QQ4m11sl9wLFOuu1xCjfQKL%2FWdqAda78SKAgiFEx5VZhvpCqaQBEkgpvyGqqtOC8Rni", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424692&Signature=A3e%2FNdGFEcoJrC50Cl1QJdp4vyuRXzYj3rP9Iwn%2F50jQamoXpWTto2LpsHhBehAI3uOMa%2F0EZAXBOsFpoMY%2F4gKZzD19INxr7gSdiBCwV3n78RSx72IwxJWT%2FrQFLc5LqYrfyhYZwA3RbXE0Rg7%2Ba%2BaCBYWZfO6Gf%2BJo7bMuxJ2KdvUp7KrHJsakVx8NR02FFuAwR9sksywzOJDU0EA36q48S%2Ffwge1CpYC0auKTyw3EFA4fQdko", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "www.joewa.com", "Crowdsourced Sigma: Matches rule Potential Persistence Via Custom Protocol Handler by Nasreddine Bencherchali (Nextron Systems)", "Crowdsourced Sigma: Matches rule Hiding Files with Attrib.exe by Sami Ruohonen | Matches rule Non Interactive PowerShell Process Spawned by Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements", "Potentially Pegasus related . Found to be affecting an IOS device", "crypto-pool.fr", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "https://dns.google/resolve?name=SELECT", "Crowdsourced Sigma: Matches rule Powershell Defender Exclusion by Florian Roth (Nextron Systems)", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "Silent Uninstalling.cmd | DosS | PUA.HackTool | FileHash-SHA256 26b6f985a431cbb246f62f6058958990bb468a79487c502e5815e78d6e88fe53", "Loads modules at runtime Looks up procedures from modules", "Crowdsourced Sigma: Matches rule Windows Defender Exclusions Added - PowerShell by Tim Rauch, Elastic (idea)", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/7310a1ce46f4c4280e18403044cc3fa3dcbcac3646313096d2e8da082d654951_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424873&Signature=UnLgHEfZz0S4bAc6cvQERC43J5aqbCUMvclTqtNQnkkUqr9x%2FGo0pkzzwsOlTksbn0qypBlpybA9XNQXcuQZlbt3MJrTrbNVqIWdAw22G589Fet6989gCoAmRKEX8dYX1C3%2FBPY4JErzHWREsqzA3aefjsOBRlQ2bEHFnmaaIgCwNcAp79YhAOITJ%2Bhc1FCaMl1hFlkeQ3tgSd%2BJauHkHpGHtktntEv90Mx9p614FUG2ybNPNrz%2B", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "IDS Detections: Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "https://vtbehaviour.commondatastorage.googleapis.com/528935b574adacd37fb70a08c57e923187a88f0048edf13955c17b4ac9b6254f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424576&Signature=HqCaWUtXVqO0qP7OW%2FasttQekub43IxOpVwuNpnAqqHt5pD2k3CeW8D0ZuOjDsOkw4LBA4QQbqNJ8uF0UmEbac%2BHKOyP%2FCf%2B08D7aM0iFPanIPuqxCoSiRjjD1C759Ig9GSDC64CKskQd91puLrezrVudARsxDdIPAJCyAwGDb6Y3L7HlOj5cCucn6k6hA6AetITD1fiTojQEV%2BX9%2B9Wp0Qxeje2jmCgoPHcO2fWBMKX7UXSmC", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "IDS Detections: Backdoor.Win32.Shiz.ivr Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "BGP Hurricane Electric seen", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "Indicators seen may have affected a few OTX users. Is ongoing", "Crowdsourced Sigma: Matches rule New Root Certificate Installed Via Certutil.EXE by oscd.community, @redcanary, Zach Stanford @svch0st", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced SIGMA Below:", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "in.community.com", "Alerts: injection_inter_process injection_create_remote_thread cape_detected_threat cape_extracted_content", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS: Observed Suspicious UA (Hello, World)", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "VirTool:Win32/Injector.gen!BQ - FileHash-SHA256 e3244c33eac9709cac1840b1b131ea25bb7c32652c7badbefe94a06038e2778e", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "Address shows an place of origin: Broomfield , Co", "Unique rule identifier: This rule belongs to a private collection.", "Believed to be originating from Germany and Russia", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "Researched: Malwarebytes.Premium.v5.1.6.RePack.by.xetrin.zip", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "cdn.wallets.cryptobit.live \u2022 kryptonite.cryptobit.live \u2022 https://cryptobit", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Crowdsourced IDS Below:", "Antivirus Detections: Win.Trojan.Carberp-6809884-0 , VirTool:Win32/Injector.gen!BQ Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 Yara Detections generic_shellcode_downloader Alerts injection_inter_process injection_create_remote_thread cape_detected_threat", "https://www.virustotal.com/graph/embed/g421f9bbfc29448f8acd6e6e0eaa616e332de270d8f5c4b34bcfc69f325a7bbc7?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Generic", "Win.trojan.agent-316117", "Unix.trojan.mirai", "Worm:win32/autorun!atmn", "Win.trojan", "Cve-2024-6387", "Cve-2018-10562", "Win.malware.salat-10058846-0", "Unix.trojan.mirai-7669677-0", "Win.trojan.vbgeneric-6735875-0", "Skynet", "Trojan.sagnt/r011c0dfs24", "Win.trojan.istbar-231", "Win.trojan.tofsee-7102058-0", "Alf:jasyp:trojandownloader:win32/smallagent!atmn", "Backdoor.win32.shiz.ivr", "Cve-2025-20393", "Cve-2023-22518", "Virtool", "Simda", "Win.trojan.emotet-9850453-0", "Zergeca", "Virtool:win32/injector.gen!bq", "Backdoor:win32/tofsee.t", "#lowfidetectsvmware", "Win.trojan.agent-316098", "Alf:jasyp:puawin32/bibado!atmn", "Tofsee", "Worm:win32/mofksys.rnd!mtb", "Backdoor:win32/berbew" ], "industries": [ "Technology", "Education", "Telecommunications", "Government", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 32, "pulses": [ { "id": "6a0fec7257bc32c037c9be08", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T06:18:07.234000", "created": "2026-05-22T05:41:06.053000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 638, "FileHash-SHA1": 366, "FileHash-SHA256": 1441, "IPv4": 377, "URL": 1697, "domain": 404, "hostname": 873, "CIDR": 1, "Mutex": 1, "IPv6": 19, "email": 9 }, "indicator_count": 5826, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec7156a2d7cd795090ba", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:41:05.023000", "created": "2026-05-22T05:41:05.023000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec697a7cef13f5cf8fdf", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:57.737000", "created": "2026-05-22T05:40:57.737000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec65b9ecad6466cf0144", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:53.032000", "created": "2026-05-22T05:40:53.032000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec5d56a2d7cd795090b9", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:45.104000", "created": "2026-05-22T05:40:45.104000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fde205095bd98f11dcd2e", "name": "Research part 2 * CAPE Sandbox", "description": "[sample of malware: PCBioUnlock-Setup-x64, for MS Windows, has been found on a server in the Czech Republic and is being investigated by the UK's National Security Agency].", "modified": "2026-05-22T04:40:00.363000", "created": "2026-05-22T04:40:00.363000", "tags": [ "new roman", "hebrew", "arabic", "vietnamese", "greek", "baltic", "times new", "roman", "calibri", "light", "default", "strong", "cname", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "accept", "shutdown", "guard", "pe file", "windows", "sample", "reads", "performs dns", "network info", "processes extra", "pe32", "intel", "delphi", "code", "persistence", "malicious", "next", "member", "p11778505315", "p2404", "host", "library", "thrown", "class", "null", "example", "loop", "syst", "none rticon", "address virtual", "sha1", "locale", "download" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/528935b574adacd37fb70a08c57e923187a88f0048edf13955c17b4ac9b6254f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424576&Signature=HqCaWUtXVqO0qP7OW%2FasttQekub43IxOpVwuNpnAqqHt5pD2k3CeW8D0ZuOjDsOkw4LBA4QQbqNJ8uF0UmEbac%2BHKOyP%2FCf%2B08D7aM0iFPanIPuqxCoSiRjjD1C759Ig9GSDC64CKskQd91puLrezrVudARsxDdIPAJCyAwGDb6Y3L7HlOj5cCucn6k6hA6AetITD1fiTojQEV%2BX9%2B9Wp0Qxeje2jmCgoPHcO2fWBMKX7UXSmC", "https://vtbehaviour.commondatastorage.googleapis.com/53bc6ed33565fe532d0ab10f9fafd2a18de06f9af32276627523a042a5205976_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424635&Signature=d4%2F4WzkSDNNN7zJVhJx9Csbghc4NumQIzYVmFLhdk983TTEjbNgBJJMGjkeXRWH1WR1mZnFiQQ7Mgo1L3lMAyghZch23i36rYC7Da3ktAuDVWv8dZ1P%2B%2FKBPfkOwkRmp9jF96vpOsqtTUoktlD4F%2Bu%2FSt6dwBXDN7ZBz%2F2Aau%2B0QQ4m11sl9wLFOuu1xCjfQKL%2FWdqAda78SKAgiFEx5VZhvpCqaQBEkgpvyGqqtOC8Rni", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424692&Signature=A3e%2FNdGFEcoJrC50Cl1QJdp4vyuRXzYj3rP9Iwn%2F50jQamoXpWTto2LpsHhBehAI3uOMa%2F0EZAXBOsFpoMY%2F4gKZzD19INxr7gSdiBCwV3n78RSx72IwxJWT%2FrQFLc5LqYrfyhYZwA3RbXE0Rg7%2Ba%2BaCBYWZfO6Gf%2BJo7bMuxJ2KdvUp7KrHJsakVx8NR02FFuAwR9sksywzOJDU0EA36q48S%2Ffwge1CpYC0auKTyw3EFA4fQdko", "https://vtbehaviour.commondatastorage.googleapis.com/7568b78ad94202cc4e547c84d56faccb2a9033394945a2abdd1e7defe1b23221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424847&Signature=W%2FpZoFBjX%2F6dqAOlg3u1Cr97bQWQ5vr5g8vo3MlqlHoQB2fgvDONRPJ9HyV3Y%2Fj3bm%2FptwemAyKKhjIjfQu1%2BpjTODHdlc7%2B%2B7CQ9HFpIhSzlPv%2BFz041BPyB4A3V1ai5cjuLZB%2FO1hgwEtS3zskowTaVI7ee6LCl6DfqDdq%2FO8RBndMZ9%2BQdoDiH0Gn3DBe3MHzxR9qkEXls3ok5PqQz2faoqkRtmJp7mflsROL", "https://vtbehaviour.commondatastorage.googleapis.com/7310a1ce46f4c4280e18403044cc3fa3dcbcac3646313096d2e8da082d654951_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424873&Signature=UnLgHEfZz0S4bAc6cvQERC43J5aqbCUMvclTqtNQnkkUqr9x%2FGo0pkzzwsOlTksbn0qypBlpybA9XNQXcuQZlbt3MJrTrbNVqIWdAw22G589Fet6989gCoAmRKEX8dYX1C3%2FBPY4JErzHWREsqzA3aefjsOBRlQ2bEHFnmaaIgCwNcAp79YhAOITJ%2Bhc1FCaMl1hFlkeQ3tgSd%2BJauHkHpGHtktntEv90Mx9p614FUG2ybNPNrz%2B" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 365, "FileHash-SHA1": 113, "FileHash-SHA256": 302, "IPv4": 324, "URL": 261, "domain": 214, "hostname": 464 }, "indicator_count": 2043, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fde1e9d38578f83f2f07a", "name": "Research part 2 * CAPE Sandbox", "description": "[sample of malware: PCBioUnlock-Setup-x64, for MS Windows, has been found on a server in the Czech Republic and is being investigated by the UK's National Security Agency].", "modified": "2026-05-22T04:39:58.097000", "created": "2026-05-22T04:39:58.097000", "tags": [ "new roman", "hebrew", "arabic", "vietnamese", "greek", "baltic", "times new", "roman", "calibri", "light", "default", "strong", "cname", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "accept", "shutdown", "guard", "pe file", "windows", "sample", "reads", "performs dns", "network info", "processes extra", "pe32", "intel", "delphi", "code", "persistence", "malicious", "next", "member", "p11778505315", "p2404", "host", "library", "thrown", "class", "null", "example", "loop", "syst", "none rticon", "address virtual", "sha1", "locale", "download" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/528935b574adacd37fb70a08c57e923187a88f0048edf13955c17b4ac9b6254f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424576&Signature=HqCaWUtXVqO0qP7OW%2FasttQekub43IxOpVwuNpnAqqHt5pD2k3CeW8D0ZuOjDsOkw4LBA4QQbqNJ8uF0UmEbac%2BHKOyP%2FCf%2B08D7aM0iFPanIPuqxCoSiRjjD1C759Ig9GSDC64CKskQd91puLrezrVudARsxDdIPAJCyAwGDb6Y3L7HlOj5cCucn6k6hA6AetITD1fiTojQEV%2BX9%2B9Wp0Qxeje2jmCgoPHcO2fWBMKX7UXSmC", "https://vtbehaviour.commondatastorage.googleapis.com/53bc6ed33565fe532d0ab10f9fafd2a18de06f9af32276627523a042a5205976_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424635&Signature=d4%2F4WzkSDNNN7zJVhJx9Csbghc4NumQIzYVmFLhdk983TTEjbNgBJJMGjkeXRWH1WR1mZnFiQQ7Mgo1L3lMAyghZch23i36rYC7Da3ktAuDVWv8dZ1P%2B%2FKBPfkOwkRmp9jF96vpOsqtTUoktlD4F%2Bu%2FSt6dwBXDN7ZBz%2F2Aau%2B0QQ4m11sl9wLFOuu1xCjfQKL%2FWdqAda78SKAgiFEx5VZhvpCqaQBEkgpvyGqqtOC8Rni", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424692&Signature=A3e%2FNdGFEcoJrC50Cl1QJdp4vyuRXzYj3rP9Iwn%2F50jQamoXpWTto2LpsHhBehAI3uOMa%2F0EZAXBOsFpoMY%2F4gKZzD19INxr7gSdiBCwV3n78RSx72IwxJWT%2FrQFLc5LqYrfyhYZwA3RbXE0Rg7%2Ba%2BaCBYWZfO6Gf%2BJo7bMuxJ2KdvUp7KrHJsakVx8NR02FFuAwR9sksywzOJDU0EA36q48S%2Ffwge1CpYC0auKTyw3EFA4fQdko", "https://vtbehaviour.commondatastorage.googleapis.com/7568b78ad94202cc4e547c84d56faccb2a9033394945a2abdd1e7defe1b23221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424847&Signature=W%2FpZoFBjX%2F6dqAOlg3u1Cr97bQWQ5vr5g8vo3MlqlHoQB2fgvDONRPJ9HyV3Y%2Fj3bm%2FptwemAyKKhjIjfQu1%2BpjTODHdlc7%2B%2B7CQ9HFpIhSzlPv%2BFz041BPyB4A3V1ai5cjuLZB%2FO1hgwEtS3zskowTaVI7ee6LCl6DfqDdq%2FO8RBndMZ9%2BQdoDiH0Gn3DBe3MHzxR9qkEXls3ok5PqQz2faoqkRtmJp7mflsROL", "https://vtbehaviour.commondatastorage.googleapis.com/7310a1ce46f4c4280e18403044cc3fa3dcbcac3646313096d2e8da082d654951_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424873&Signature=UnLgHEfZz0S4bAc6cvQERC43J5aqbCUMvclTqtNQnkkUqr9x%2FGo0pkzzwsOlTksbn0qypBlpybA9XNQXcuQZlbt3MJrTrbNVqIWdAw22G589Fet6989gCoAmRKEX8dYX1C3%2FBPY4JErzHWREsqzA3aefjsOBRlQ2bEHFnmaaIgCwNcAp79YhAOITJ%2Bhc1FCaMl1hFlkeQ3tgSd%2BJauHkHpGHtktntEv90Mx9p614FUG2ybNPNrz%2B" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 365, "FileHash-SHA1": 113, "FileHash-SHA256": 302, "IPv4": 324, "URL": 261, "domain": 214, "hostname": 464 }, "indicator_count": 2043, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fde1b366253c296281156", "name": "Research part 2 * CAPE Sandbox", "description": "[sample of malware: PCBioUnlock-Setup-x64, for MS Windows, has been found on a server in the Czech Republic and is being investigated by the UK's National Security Agency].", "modified": "2026-05-22T04:39:55.100000", "created": "2026-05-22T04:39:55.100000", "tags": [ "new roman", "hebrew", "arabic", "vietnamese", "greek", "baltic", "times new", "roman", "calibri", "light", "default", "strong", "cname", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "accept", "shutdown", "guard", "pe file", "windows", "sample", "reads", "performs dns", "network info", "processes extra", "pe32", "intel", "delphi", "code", "persistence", "malicious", "next", "member", "p11778505315", "p2404", "host", "library", "thrown", "class", "null", "example", "loop", "syst", "none rticon", "address virtual", "sha1", "locale", "download" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/528935b574adacd37fb70a08c57e923187a88f0048edf13955c17b4ac9b6254f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424576&Signature=HqCaWUtXVqO0qP7OW%2FasttQekub43IxOpVwuNpnAqqHt5pD2k3CeW8D0ZuOjDsOkw4LBA4QQbqNJ8uF0UmEbac%2BHKOyP%2FCf%2B08D7aM0iFPanIPuqxCoSiRjjD1C759Ig9GSDC64CKskQd91puLrezrVudARsxDdIPAJCyAwGDb6Y3L7HlOj5cCucn6k6hA6AetITD1fiTojQEV%2BX9%2B9Wp0Qxeje2jmCgoPHcO2fWBMKX7UXSmC", "https://vtbehaviour.commondatastorage.googleapis.com/53bc6ed33565fe532d0ab10f9fafd2a18de06f9af32276627523a042a5205976_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424635&Signature=d4%2F4WzkSDNNN7zJVhJx9Csbghc4NumQIzYVmFLhdk983TTEjbNgBJJMGjkeXRWH1WR1mZnFiQQ7Mgo1L3lMAyghZch23i36rYC7Da3ktAuDVWv8dZ1P%2B%2FKBPfkOwkRmp9jF96vpOsqtTUoktlD4F%2Bu%2FSt6dwBXDN7ZBz%2F2Aau%2B0QQ4m11sl9wLFOuu1xCjfQKL%2FWdqAda78SKAgiFEx5VZhvpCqaQBEkgpvyGqqtOC8Rni", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424692&Signature=A3e%2FNdGFEcoJrC50Cl1QJdp4vyuRXzYj3rP9Iwn%2F50jQamoXpWTto2LpsHhBehAI3uOMa%2F0EZAXBOsFpoMY%2F4gKZzD19INxr7gSdiBCwV3n78RSx72IwxJWT%2FrQFLc5LqYrfyhYZwA3RbXE0Rg7%2Ba%2BaCBYWZfO6Gf%2BJo7bMuxJ2KdvUp7KrHJsakVx8NR02FFuAwR9sksywzOJDU0EA36q48S%2Ffwge1CpYC0auKTyw3EFA4fQdko", "https://vtbehaviour.commondatastorage.googleapis.com/7568b78ad94202cc4e547c84d56faccb2a9033394945a2abdd1e7defe1b23221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424847&Signature=W%2FpZoFBjX%2F6dqAOlg3u1Cr97bQWQ5vr5g8vo3MlqlHoQB2fgvDONRPJ9HyV3Y%2Fj3bm%2FptwemAyKKhjIjfQu1%2BpjTODHdlc7%2B%2B7CQ9HFpIhSzlPv%2BFz041BPyB4A3V1ai5cjuLZB%2FO1hgwEtS3zskowTaVI7ee6LCl6DfqDdq%2FO8RBndMZ9%2BQdoDiH0Gn3DBe3MHzxR9qkEXls3ok5PqQz2faoqkRtmJp7mflsROL", "https://vtbehaviour.commondatastorage.googleapis.com/7310a1ce46f4c4280e18403044cc3fa3dcbcac3646313096d2e8da082d654951_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424873&Signature=UnLgHEfZz0S4bAc6cvQERC43J5aqbCUMvclTqtNQnkkUqr9x%2FGo0pkzzwsOlTksbn0qypBlpybA9XNQXcuQZlbt3MJrTrbNVqIWdAw22G589Fet6989gCoAmRKEX8dYX1C3%2FBPY4JErzHWREsqzA3aefjsOBRlQ2bEHFnmaaIgCwNcAp79YhAOITJ%2Bhc1FCaMl1hFlkeQ3tgSd%2BJauHkHpGHtktntEv90Mx9p614FUG2ybNPNrz%2B" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 365, "FileHash-SHA1": 113, "FileHash-SHA256": 302, "IPv4": 324, "URL": 261, "domain": 214, "hostname": 464 }, "indicator_count": 2043, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d1396bb42208f8aa25b8ae", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-05-04T15:01:49.491000", "created": "2026-04-04T16:16:43.680000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9657, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d1395ab63bf8e8d2c384eb", "name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable", "description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.", "modified": "2026-05-04T15:01:49.491000", "created": "2026-04-04T16:16:26.128000", "tags": [ "binary", "yara rule", "binary file", "yara", "pe section", "av detections", "ip address", "url analysis", "urls", "singapore", "singapore asn", "as14061", "edgeview drive", "suite", "broomfield", "colorado", "key usage", "handle", "v3 serial", "number", "cert validity", "asia pacific", "traefik default", "cert", "thumbprint", "name", "all filehash", "learn", "adversaries", "calls", "ck id", "name tactics", "suspicious", "informative", "reads", "defense evasion", "loads", "model", "call", "getprocaddress", "span", "path", "mitre att", "ck matrix", "access type", "value", "windir", "open", "error", "click", "contact", "meta", "april", "hybrid", "format", "strings", "united", "b778b1", "div div", "d9e4f4", "edf2f8", "status", "fastest privacy", "first dns", "trojan", "pegasus", "title", "dynamicloader", "ms windows", "intel", "pe32 executable", "win32", "medium", "pe32", "high", "mozilla", "delphi", "injectdll", "write", "malware", "observer", "stream", "unknown", "lredmond", "stwa", "omicrosoft", "stwashington", "server ca", "https domain", "accept", "read c", "ogoogle trust", "worm", "code", "td td", "td tr", "a td", "dynamic dns", "name servers", "arial", "zeppelin", "null", "enough", "hosts", "fast", "tls sni", "cloudflare dns", "google dns", "showing", "get icarus", "show", "ascii text", "global", "next", "cc fd", "d4 dc", "a3 ad", "a8 c7", "bb c7", "f0 f1", "f4 ca", "bc a1", "win64", "local", "otx logo", "hostname", "passive dns", "files", "less", "related tags", "servers", "certificate", "domain", "cloudflare", "khtml", "gecko", "ids detections", "yara detections", "ip lookup", "encrypt", "elf executable", "sysv", "linux", "elf64 operation", "unix", "exec amd6464", "elf geomi", "modify system", "process l", "t1543", "systemd service", "ta0004", "techniques", "process create", "modify syst", "t1036 indicator", "remc t1070", "file", "directoi t1222", "t1027 masquerac", "t1070", "data upload", "extraction", "failed", "ta0005", "t1027", "memory pattern", "domains", "dns resolutions", "full reports", "v ip", "traffic tcp", "g sh", "c tmpsample", "binrm f", "usrbinid id", "usrbinsystemctl", "proc1environ", "proccpuinfo", "include", "review exclude", "sample", "https", "performs dns", "tls version", "mitre attack", "network info", "file type", "persistence", "include review", "exclude sugges", "find s", "unique ru", "review occ", "exclude data", "alvoes", "include data", "suggest", "find c", "typ filet", "filet ce", "layer protocol", "http performs", "reads cpu", "proc indicative", "filet filet", "pulse", "file hach", "h1256", "filer data", "typ data", "filer filehuon", "filet filer", "exchange all", "typ no", "no entri", "exclude", "suggested ocs", "manualy", "hua muicalul", "find", "indicatore", "typ innicatad", "new threat", "dive into", "zergeca botnet", "reference", "report publish", "zergeca", "all se", "matches edolavd", "matches data", "matches matches", "type", "extr", "tico data", "get hello", "mirai variant", "useragent", "hello", "outbound", "world", "search", "hackingtrio ua", "inbound", "mirai", "info", "shell", "pulse pulses", "files ip", "address domain", "ip related", "labs pulses", "pulses", "post", "http traffic", "tocstut", "reference id", "xor key", "canada", "america", "germany", "doh", "ddos", "botnet", "en", "xor", "twitter", "stop", "loader", "downloader", "zerg", "mirai", "golang", "c2 resolution", "germany", "c2 ip", "virustotal", "smux", "ck ids", "t1082", "applescript", "t1190", "application", "private server", "t1609", "command", "unix shell", "software supply", "service", "chain", "t1499", "entries", "otx telemetry", "next associated", "backdoor", "detections", "sha256 add", "alerts", "heur", "all domain", "creation date", "record value", "aaaa", "date", "unknown ns", "ponmocup post", "infection dns", "mtb nov", "ipv4 add", "external ip", "copy" ], "references": [ "www.joewa.com", "Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name", "Yara Detections: MacSync_AppleScript_Stealer , UPX ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/", "Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena/", "Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more", "Loads modules at runtime Looks up procedures from modules", "(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007", "https://cloudflare-dns.com/dns | cloudflare-dns.com", "https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522", "https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com", "https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f", "6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)", "\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca", "\u2018Can't access file\u2019[Found in Zergeca Botnet]", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections", "IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56", "Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org", "Crowdsourced SIGMA Below:", "Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community", "Crowdsourced IDS Below:", "Matches rule ET POLICY External IP Lookup ipinfo.io", "Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Unique rule identifier: This rule belongs to a private collection.", "geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi", "https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO", "Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/", "crypto-pool.fr", "i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645", "Muslims have built, supported, and assisted. or Muslims: Support and Solidarity", "LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado", "IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST", "IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)", "IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)", "IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)", "IDS: Observed Suspicious UA (Hello, World)", "Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,", "Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections", "Alerts: cape_detected_threat", "IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184", "IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248", "Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]", "https://dns.google/resolve?name=SELECT", "31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]", "multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]", "84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]", "Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets", "Since September 2023, according to an analysis by cyber security firm XLab CTIA.", "Address shows an place of origin: Broomfield , Co", "Believed to be originating from Germany and Russia", "BGP Hurricane Electric seen", "Potentially Pegasus related . Found to be affecting an IOS device", "Indicators seen may have affected a few OTX users. Is ongoing", "Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced", "apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple", "This pulse is so huge it\u2019s a mess. Will break down." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Thailand", "Germany", "Canada" ], "malware_families": [ { "id": "Win.Malware.Salat-10058846-0", "display_name": "Win.Malware.Salat-10058846-0", "target": null }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Trojan.Sagnt/R011c0dfs24", "display_name": "Trojan.Sagnt/R011c0dfs24", "target": null }, { "id": "Zergeca", "display_name": "Zergeca", "target": null }, { "id": "Unix.Trojan.Mirai", "display_name": "Unix.Trojan.Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-7669677-0", "display_name": "Unix.Trojan.Mirai-7669677-0", "target": null }, { "id": "CVE-2018-10562", "display_name": "CVE-2018-10562", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1037.002", "name": "Logon Script (Mac)", "display_name": "T1037.002 - Logon Script (Mac)" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 795, "FileHash-SHA1": 648, "FileHash-SHA256": 3708, "URL": 2587, "domain": 739, "hostname": 1129, "email": 14, "CIDR": 15, "SSLCertFingerprint": 18, "CVE": 4 }, "indicator_count": 9657, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "jrsoftware.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "jrsoftware.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780267506.8996894 }