{ "type": "Domain", "indicator": "microsoftstart.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/microsoftstart.org", "alexa": "http://www.alexa.com/siteinfo/microsoftstart.org", "indicator": "microsoftstart.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4314780113, "indicator": "microsoftstart.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "6a0050a3b1d71cc50840286e", "name": "*Dormant Destruction* VirusTotal report for index.html", "description": "This threat intelligence pulse tracks a long-dormant wiper, dating back to the early 2000s, which has persisted across multiple environments undetected. The malware features sophisticated, \"hidden\" destructive mechanisms capable of widespread data wiping. It appears to leverage administrative-level access, allowing it to move laterally and compromise systems extensively. Continued inaction regarding this infection chain poses a critical risk to data integrity. The ONLY way to fix this as it has taken over the root is by addressing the problem for what it actually is, the math and drops do not lie, deletion and new certs/exp certs will fail. The science is clear, the answer is foggy. Its best to see clearly.", "modified": "2026-05-29T19:06:32.951000", "created": "2026-05-10T09:32:19.100000", "tags": [ "mitre attack", "network info", "processes extra", "meta", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "system process", "sigma", "united", "federation", "file type", "yara", "creates", "pe32", "intel", "malicious", "persistence", "window", "default", "cname", "inprocserver32", "shell folders", "parent pid", "full path", "command line", "accept", "windows nt", "win64", "payload", "shutdown", "tofsee", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "win1", "acrongl integ", "adc4240758", "sha256", "back", "windows sandbox", "calls process", "kb body", "civicplus", "network admin", "net192", "net1920000", "icone2", "llc orgid", "houston", "suite e", "city", "ks postalcode", "orgtechhandle", "orgtechref", "houston address", "e city", "address range", "cidr", "network name", "type", "status", "whois server", "entity icone2", "handle", "algorithm", "key identifier", "x509v3 subject", "number", "issuer", "cus cnrapidssl", "rsa ca", "odigicert inc", "subject public", "key info", "thumbprint", "entity", "rdap database", "iana registrar", "host name", "links", "v3 serial", "cus olet", "encrypt cne8", "validity", "key algorithm", "ec oid", "value a", "please", "javascript", "ascii", "json", "openpgp secret", "extra info", "spawns", "layer protocol", "attack network", "allocated pa", "date", "ripe", "alphen", "rijn", "urls", "suricata ids", "smtp", "poland", "france", "germany", "canada", "japan", "slovakia", "toggle", "msie", "post", "wpaddetectedurl", "settingswpad", "wpaddhcp", "wpaddns", "dynamicloader", "static analysis", "first", "path", "enterprise", "service", "close", "zenbox android", "info", "pdf document", "adobe portable", "document format", "sha1", "bootkit", "loads" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/e1b97b7f87063caf2e7a8ae6c7ec834006eb3a3753f185415adbd3ab4d063662_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402037&Signature=YNxp5VCG9MJMmG%2F9SM0xFj86aE%2BDn4d%2BloEbjzGdWh57oS%2BoKZQuQ4QX6wuKgoTNgbG%2FJXPBfOce4rMNJK2biVU0MQNsEcn6Rvez7%2BPKxBDgTVfW5ZqYvEIC4%2BPIP5R7Wz5S9lD88AhsPMpRD5uNmWf8UCUEtZbDvU7gCQ55%2F9YjNz4oKzn%2B2zIIaq1ZfP2RPOZAJmU%2FryFIfChNBecPcHBhrVolEMxMMG9aDrJTiyT4dyIQ4M", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402076&Signature=CoPEm0rKM9zwB6jfYndZxnY5%2BHhs4eKx7qJL%2BE5nSaoEFD3ERDi7iaNDKE1KQxnCcmgEph04lJ80Ske0vRMKuUyMKplSXMUL%2BMze5w54QIipWo%2BIpHNq5nBajpvcTxzX9cvn4XFMEfOqwDud1H6YsOFGMotCi0%2Fqhuoq5GfohsdoBJtIDdIpnPyhaH%2BxNkWtB0pKkulsN1pBugmA8C9tjFan9P%2F%2BH3gzFI84nd8t6BWD%2BoecalP%", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402098&Signature=xdj6GkorlDc6S8s%2FMjlB%2BNQyXwa%2F1fpMkkOwWytsu1U3NwFTxbNfgkNR4Exa7frC11A9IyqmxX3rDIHw%2FZkYR%2Ba2IC16wTto%2BuFOj1KtZVJjsGwgG5HsGoJy8xfiNvBfMKxGZk0wuBG%2B0VlG%2Bp1dDWariTtLVxuneQjQUwiSWFqStKrdJjFHrfhqdSxggVR7Kq31S%2Bw0fbveIvONeGSv%2FULwQAZ4V%2Be0wea94lxz", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402306&Signature=hf7TRgRfZ09UHHXoMh4kZC9nDUIFKmmOpbEGQL%2BRY%2BhxSyC%2F5C7YQCpHUlVYDnUyZ0YvtO5z2T%2FDZyUuzdmJGopuc8AzF%2FV8l2v3cboHR37ku0q9rSds5%2FuHStLQXakQki1S74aBixjHGRWwNse3XqlIxOXzaD2bMaMuLtxp2DJjycVxWnTWgG6IkLKxn17cY9GrfaVqdbkUOsPiPHhzJv4KD5Gu1wPjbRqkgfFIBCOOShM1M%2F%2F7Vz", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402360&Signature=QdukcaW5xWJAXHy7L5Wlrhp7Fbl5B7ruGInmUghMlbYS%2B58VlmR8pKCqWOru3Ayq%2BnCHEi7svEzUEZPH%2BTxVPOIz4QtVCb1%2FyyJBXuYJNrhX%2FljFo%2Bj%2Ftqgb%2F7PgRCo3UBr7cGbLq1%2FEzSBiwApZqUhcDGTIw9uFhxd1XZLcODEu%2BBWIQW1Bcaq6al%2BMVclyuNjGF08msv99Y5%2FsufmOaXETQ561NMUtg7Kf4Y", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402433&Signature=fzgApvZFpRqQQR%2FqOj4lIRpve9d%2FyvYl04itAdLoyMKXstzu2CT3KiOmR0Zp4euPLDwcqskfB1E8tMlbjB8jhJK8zxF0gmN1NZoL8H7rNi21bXimGf7obVucirIj63DjHLKtV6QVELZnTvfmviaEHkX2CDHVqArFgOaezhS7msZ273wDaQSWcJHNpo2%2F14v1YenlTvV2ynBHRfDaYamM0MsLpdmz%2BrfI5K2P%2BzE8SZyW%2FzGrfF", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402546&Signature=QcJ3mvV%2FEBhcZxMeAJUxKHP%2BPI28f7pnarMn9PpZrvsxLKxpRmkwXjvTZ7Om3GJ72ykfji6gfNpRgDYK2M5Ft44D72%2B3kjMqJuRZmObcTY47nG2d7OuUbNBYufoqyoBiIA5fdiiOVARm%2FULdQ4xMo6P5wUBttgRiwF6qTcnefajnbn8ULwKmwsG%2FkP6CjI4ZsID7VI9Qq%2Bo08eFIH15kLUfrA%2B9XRExHTGoheVAld%2BIBpqgAn%2FgV", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402679&Signature=tYgx%2Btx9Wo5u4OONyhm8h8HlC8ikfb1WagGKhy3grrUW6vFIL998hEF8Wpe7avm3ErO3WihRVaUQOsrOV%2Beag%2BqPh35di%2FAuTjcO96quMa54BzzpUbwLqc8Q3OSyFORzvewpEF2nYlGg865A1Vy5go4hxDKI709M1sYpKoV5FGB7ed%2Fa9z0beRBh0XlEIyPluTNf08ZGoATIA7rEsDrFHAWS%2BK72cMBe4e5LrJepBNWw0c4%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1c515f592472daa56b5dfb73f1cfb421177bccda1475a9f28ce329c97e17ee5a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402736&Signature=cMwy0s44mI2KEExAz3Mv0ahtxdPxHk2QnEYZMoIzkeHz6hkMLCxpY5PdTkUOhnhOccVmLlmhn5Wx87K7G5%2FSeOFVRnv9ov6fxkKV4KYqKR%2Bq6hBQ7yju1HSFlRUwnDt32CJlcx9ULx60AfFkXOjbc21UWy%2BUYe32SPTiCL5%2FTS8FrFsXNI8w6oIdKSaAoGo1cRrK1I3vAB%2BR93vbnHBYIDivvFAA3MYOYrQAUO8X3rHcUU", "https://vtbehaviour.commondatastorage.googleapis.com/25d9183d8c0958f0ddde370d964d9729aa40c9faef270c4a9bc4301a07a8ed37_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403579&Signature=AdxQo3GHHARKwoNS8r33uGWFGkXoZ71d5KmoiPTM4yephbPsZTXn%2Fb%2Fobup7NTbAQcceFe6Rx%2Bx8n9O7KKQoInOEewOENKdE7pnMJddLDxmAMPXDDYV%2Fhm5MkJLRljcyhU6lcX2ESSeND4A5g0qI5MY1QBoAFwJhRpC%2FSzDOxuZ8tdvV3SaOSXEj7XhJjNhnyrB4g3z2nyfkMo0xa8iigqKnzgq%2F%2B7tOpwvy6uB1S2", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403775&Signature=jSzPctxlS%2F0o4jpadvN%2BG4XQ69muJMHwIQZNulWuy1D5cGeaZqaL6bj2dP2Keh43XTfPBvmpE0l%2B%2FK%2BHsi%2FLbUvfQJB0Ow%2FoH9zplQpYc%2FQs7rxg7IPb%2BZA0uWqA2bccRt1JYYyXi%2BUvK5CsfeXr8DeAo3W6wHLwqwQfirNfrhBeO48dDsEJyUcFRn8NqorGiudjV8PBV1VK9rS%2BogLTZ7Wj1wMnBipbOgm6lOYX", "https://www.virustotal.com/gui/search?query=entity%3Adomain%20txt%3A%22v%3Dspf1%20include%3A_spf.tierra.net%20%7Eall%22", "https://vtbehaviour.commondatastorage.googleapis.com/e4aa1bc4332b59e6b635189e3225cc8544fb73582755d33ad1cee10e02be92a6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404284&Signature=C8BgIjJ%2F31gsdkd94Wt%2B1LRHHkBHaDW7PqntQXRecjr%2Fa9idW6XwshKibZ00x%2B4s8pPhOifu5RP50H8NLe%2F4V3SIdajS3dQvkDP9UqmOJlOWBrC0r69zoaEGGEfkfQi1CEba4wvXfPM8y74L7ITDe3Yj6QCMLOnrTMRADc1e29KAc1aC5sKI%2Ba6tQWSaawZpoFXY8LPcZqFLtue1nh1Em7PyJXxcPqFIois%2Btfi7XdSXSGoMISk9F%2B", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404411&Signature=dDeNHkYz7S95CZY9qSQzDB9AfgnyHXFGIReDdaHaDiB5ZXNnbtM%2F410nKqbHWHWJ8Q8bbbEfQoAPf%2FecFgT6tD%2FDSosX0UvAii02cMO6IULYvtc3OppP9pf%2F2lRoJVo%2F%2FXUZ4%2FeW7%2F7LuofcP%2FEFFhmyJ%2BqaNSvA4vyaLkN04qrLrEeK6fgwrinWDCD9DJYx%2B6TbUZL%2Bdh1bd59v8P%2BN52%2FGgoeZd6m6I4%2FHErxr", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404482&Signature=pzkjsdl%2FSRdVnXtKm74mqbETIgdy70CIbXyiOiFOEF0jkgthIekpKrvOpI2fDHbD5SfhqlkdAGCojl7fw86XmmyeItDqqiAG9dm%2FNUjZEwCKOgEtOEbtbqZq7XNJtBASf1%2BD8aCxIOuhSWuXfh8wLD5urtXfwjLRwIlElQblSTCgiI1CRaM5yXCzXkLMFCKc2cAlYl7qcxAcv5apZcyxWxszijCP3FHGduK7BA0PIoPX%2Fjs3bZs3Rto", "https://vtbehaviour.commondatastorage.googleapis.com/28371ee176b88da4266741c4e9f6786b41810ab8ab564aa5fb3de0c08d8f39b3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404622&Signature=X15DH2Rnn%2Fviy5Mx5jkaDvWzug5gYktkbXPA3dMrveSe0WEa3VYZtYI65kZU6q8MA50N76ZCKDY5M7HqhcLPRAsqUTGrvP231Dp1DVn0s0h7HPxFW4a%2BXdD96Xbx39ACwMYWVIZQC29BDFEhRj56BLif2KGyA20VlfKn0J8L0dbmnkgykOPnK70X5%2BRs0NQZ3olmkq%2BAMLwMkt3DcxhaEc6x78GH5eTgLoPKaBe2x8QvOYUrWxhy", "https://vtbehaviour.commondatastorage.googleapis.com/92130c8f1b6fc79dca5b103ac30bb118c92a9f877d6d5db67430b9dd40025d40_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405020&Signature=tTwKGyLIe8DNefa6LIf3AdycaRcbew94iXL6Zr%2BWMysNIuhtlIyEu4twuamne%2F5ijUNW0mo8fmhQ1VR8SsNpYxfE3Tk10WIfijvHyvcsfI6Yjj7syNsMDDbY5wRt22eShn0pJOnZ5gUbNPB74ucvYcq3DZCND9aJ%2FIq%2B71NVEcQHcCtZlsIcoutjIJh6mpzImo07ZZ5XcaiayiW4FpXkiaen%2BCn%2FaD1Yjb1%2FKFufmJ", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405119&Signature=zoh6wk%2BZ9Uohe5PZRAKPdhx9ruJ6BNx1cKG%2BFFPbD%2FQQJn3%2BgXv2%2F5JqX%2FT2zSw6LAkU%2FF%2Fzis%2FBUi2fyvifCnqG649sCld%2B1%2F%2BoJGdyAiGyaEp5aCn49BNYMeGLyi6gBjH1H%2FBldw7v2MAVOCEFX8A%2Bfx3T9j4Yay4lCVP2CRzUfPdJLNaJSvkU3wwfK%2FBJG9mDTyyuqQ%2B%2F0FPGRmvc4ZhYQHKh", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405312&Signature=aw4LTG90scEntjzrTn2oehQRQ2tyA8wKnsPgZzPJrOGU40FyGhgYV1GthrkNFo94u%2Fl9EaczgTtRWvIfeZW9JFU3mPAgAjE9FRonw9R8C9f5tN3mcg0SJUwG8NRDlzMOEvN2MjaY%2FuWLiTbz7xXWj9DyUrPzKGhkqw%2FAcv0B%2FWjesEVgf44XWE4mm95o%2B4x%2F5ZxZ2zEhXNSmJ0qL66Xpsq6Vl7cjbIkPNYp1%2BDZCQ7qObBP4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 669, "URI": 3, "FileHash-MD5": 121, "FileHash-SHA1": 131, "IPv4": 285, "URL": 346, "domain": 286, "hostname": 274, "CIDR": 2, "email": 2 }, "indicator_count": 2119, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a062736db89f7c827b1d4", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:58.595000", "created": "2026-05-17T18:17:11.966000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 301, "FileHash-SHA1": 313, "FileHash-SHA256": 774, "URL": 667, "IPv4": 241, "domain": 205, "hostname": 612, "email": 5, "IPv6": 2, "CIDR": 1, "CVE": 23, "JA3": 1 }, "indicator_count": 3145, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a06582d0722271a4599d7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:57.618000", "created": "2026-05-17T18:18:00.792000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065b8e1ccb825970a9e5", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:56.390000", "created": "2026-05-17T18:18:03.742000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065be823d8e9966e18ce", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:55.117000", "created": "2026-05-17T18:18:03.751000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065d1177dadd6522914f", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:54.028000", "created": "2026-05-17T18:18:05.783000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065ebc76096529b575c7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:52.618000", "created": "2026-05-17T18:18:06.287000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69efc567ae24b8285a71099d", "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media", "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:21:59.824000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1037, "hostname": 865, "domain": 685, "URL": 2224, "FileHash-MD5": 131, "FileHash-SHA1": 94, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5051, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69efc7a6778f84c179d27073", "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]", "description": "", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:31:34.221000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "69efc567ae24b8285a71099d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1039, "hostname": 868, "domain": 687, "URL": 2226, "FileHash-MD5": 133, "FileHash-SHA1": 96, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5064, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13d458f27a51876d7949f5", "name": "NOW BOARDING: DARK-ZERO Sheep Tracker * CAPE Sandbox", "description": "Modern threat intelligence requires moving from passive observation to active intervention. In the context of targeted tracking implants, defending civil rights means engineering systems that protect user autonomy against unauthorized data extraction. Architectural Protections:\n0-Trust Telemetry: Designing operating systems where the user owns the cryptographic root of trust.\nHardware-Enforced Isolation: Utilizing Secure Enclaves to process cryptographic keys outside the reach of a compromised kernel.\nExploit Mitigation: Implementing advanced PAC+ Memory Tagging Extensions (MTE) to stop zero-day memory corruption bugs. The holiday serves as a reminder for SOCs to uphold high ethical standards, ensuring defensive tools are never repurposed for unauthorized surveillance. Respect to all.", "modified": "2026-05-27T17:19:19.635000", "created": "2026-05-25T04:47:20.503000", "tags": [ "win32 exe", "mozilla firefox", "zip adobe", "photoshop cc", "rar adobe", "air sdk", "adobe air", "lassa2", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "united", "performs dns", "grabber honest", "layer protocol", "attack network", "info processes", "extra info", "zenbox macos", "verdict", "guest system", "ascii text", "sigma", "creates", "t1055 process", "info dropped", "malicious", "p2404", "p11718783889", "p4de83ek69hqsh4", "p11718784848", "bazaar", "sha3384", "ssdeep", "checker", "themida", "guard", "property", "adobe device", "property name", "productname", "displayname", "destination", "root", "totalsize", "langpack", "swedish", "win32", "windows sandbox", "calls clear", "sha256", "sha1", "crc32", "size", "flash", "june", "drops pe", "crlf line", "sample", "persistence", "win64", "hook", "instructor", "kids goldadobe", "errstr", "cultureneutral", "license", "error", "code", "service", "vmprotect", "february", "back", "number", "mitre attack", "network info", "processes extra", "fri dec", "database", "initial access", "program", "overview", "overview zenbox", "ultimate file", "info file", "Nullworld", "value", "value lang", "buildinfo", "productinfo", "addremoveinfo", "displayversion", "screnshots", "United", "Swedishvpncarrierenrollment", "calls process", "writes", "png image", "rgba", "guloader", "fraud", "phishing", "install", "pdapp", "urihandler", "us tcp", "product install", "gamma", "updater", "Now boarding", "DarkZero", "Sheep Tracker" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2266, "IPv4": 326, "domain": 179, "hostname": 381, "FileHash-MD5": 811, "FileHash-SHA1": 835, "URL": 815, "email": 2 }, "indicator_count": 5615, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13d450d1c0f6a31e71cef1", "name": "NOW BOARDING: DARK-ZERO Sheep Tracker * CAPE Sandbox", "description": "Modern threat intelligence requires moving from passive observation to active intervention. In the context of targeted tracking implants, defending civil rights means engineering systems that protect user autonomy against unauthorized data extraction. Architectural Protections:\n0-Trust Telemetry: Designing operating systems where the user owns the cryptographic root of trust.\nHardware-Enforced Isolation: Utilizing Secure Enclaves to process cryptographic keys outside the reach of a compromised kernel.\nExploit Mitigation: Implementing advanced PAC+ Memory Tagging Extensions (MTE) to stop zero-day memory corruption bugs. The holiday serves as a reminder for SOCs to uphold high ethical standards, ensuring defensive tools are never repurposed for unauthorized surveillance. Respect to all.", "modified": "2026-05-27T16:31:09.918000", "created": "2026-05-25T04:47:12.640000", "tags": [ "win32 exe", "mozilla firefox", "zip adobe", "photoshop cc", "rar adobe", "air sdk", "adobe air", "lassa2", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "united", "performs dns", "grabber honest", "layer protocol", "attack network", "info processes", "extra info", "zenbox macos", "verdict", "guest system", "ascii text", "sigma", "creates", "t1055 process", "info dropped", "malicious", "p2404", "p11718783889", "p4de83ek69hqsh4", "p11718784848", "bazaar", "sha3384", "ssdeep", "checker", "themida", "guard", "property", "adobe device", "property name", "productname", "displayname", "destination", "root", "totalsize", "langpack", "swedish", "win32", "windows sandbox", "calls clear", "sha256", "sha1", "crc32", "size", "flash", "june", "drops pe", "crlf line", "sample", "persistence", "win64", "hook", "instructor", "kids goldadobe", "errstr", "cultureneutral", "license", "error", "code", "service", "vmprotect", "february", "back", "number", "mitre attack", "network info", "processes extra", "fri dec", "database", "initial access", "program", "overview", "overview zenbox", "ultimate file", "info file", "Nullworld", "value", "value lang", "buildinfo", "productinfo", "addremoveinfo", "displayversion", "screnshots", "United", "Swedishvpncarrierenrollment", "calls process", "writes", "png image", "rgba", "guloader", "fraud", "phishing", "install", "pdapp", "urihandler", "us tcp", "product install", "gamma", "updater", "Now boarding", "DarkZero", "Sheep Tracker" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2266, "IPv4": 327, "domain": 178, "hostname": 372, "FileHash-MD5": 805, "FileHash-SHA1": 833, "URL": 812, "email": 2 }, "indicator_count": 5595, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13d455f52a1c3acb3904b6", "name": "NOW BOARDING: DARK-ZERO Sheep Tracker * CAPE Sandbox", "description": "Modern threat intelligence requires moving from passive observation to active intervention. In the context of targeted tracking implants, defending civil rights means engineering systems that protect user autonomy against unauthorized data extraction. Architectural Protections:\n0-Trust Telemetry: Designing operating systems where the user owns the cryptographic root of trust.\nHardware-Enforced Isolation: Utilizing Secure Enclaves to process cryptographic keys outside the reach of a compromised kernel.\nExploit Mitigation: Implementing advanced PAC+ Memory Tagging Extensions (MTE) to stop zero-day memory corruption bugs. The holiday serves as a reminder for SOCs to uphold high ethical standards, ensuring defensive tools are never repurposed for unauthorized surveillance. Respect to all.", "modified": "2026-05-27T16:29:42.941000", "created": "2026-05-25T04:47:17.194000", "tags": [ "win32 exe", "mozilla firefox", "zip adobe", "photoshop cc", "rar adobe", "air sdk", "adobe air", "lassa2", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "united", "performs dns", "grabber honest", "layer protocol", "attack network", "info processes", "extra info", "zenbox macos", "verdict", "guest system", "ascii text", "sigma", "creates", "t1055 process", "info dropped", "malicious", "p2404", "p11718783889", "p4de83ek69hqsh4", "p11718784848", "bazaar", "sha3384", "ssdeep", "checker", "themida", "guard", "property", "adobe device", "property name", "productname", "displayname", "destination", "root", "totalsize", "langpack", "swedish", "win32", "windows sandbox", "calls clear", "sha256", "sha1", "crc32", "size", "flash", "june", "drops pe", "crlf line", "sample", "persistence", "win64", "hook", "instructor", "kids goldadobe", "errstr", "cultureneutral", "license", "error", "code", "service", "vmprotect", "february", "back", "number", "mitre attack", "network info", "processes extra", "fri dec", "database", "initial access", "program", "overview", "overview zenbox", "ultimate file", "info file", "Nullworld", "value", "value lang", "buildinfo", "productinfo", "addremoveinfo", "displayversion", "screnshots", "United", "Swedishvpncarrierenrollment", "calls process", "writes", "png image", "rgba", "guloader", "fraud", "phishing", "install", "pdapp", "urihandler", "us tcp", "product install", "gamma", "updater", "Now boarding", "DarkZero", "Sheep Tracker" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2266, "IPv4": 327, "domain": 178, "hostname": 382, "FileHash-MD5": 805, "FileHash-SHA1": 833, "URL": 816, "email": 2 }, "indicator_count": 5609, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ede4900c0c36d508b00892", "name": "VirusTotal report for index.html tlp:green", "description": "[The following is the full text of the following:..woff2/akamai/clientlib-brand-base/resources/InstrumentSans-Variable-Latin-Italic] pdfkit[.net] = trans ip. Otx kept having server errors when trying to upload more comprehensive reports on this. Interference not by otx, suspect.", "modified": "2026-05-26T10:06:50.708000", "created": "2026-04-26T10:10:24.165000", "tags": [ "html internet", "html document", "unicode text", "utf8 text", "ascii text", "language", "https", "mitre attack", "network info", "processes extra", "transip", "performs dns", "t1055 process", "layer protocol", "overview", "overview zenbox", "title", "next", "meta", "link", "path", "doctype html", "ieedge", "bezet", "head", "body", "get url", "ip reputation", "divi child", "site kit", "google", "truetype", "woff", "user", "agent", "style", "original", "unknown", "has permission", "tls version", "file type", "loads", "urls", "persistence", "cloud", "malicious", "found", "dropped info", "zenbox android", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/117a61ad457cb776ca2e337cc04dce86510931b1e311b02e709a5e6c486333c4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777196678&Signature=HzcyQV1X4%2BZuxALwV5MKabxavBVI2pXXV%2BqZ%2FxjbZGEzJLq3HvfBlhoJvnPO72cTsUYIRIF8xWwC5jRcagGjKfbaLJN2X5M8YJLFvzNW8EUuKXbP4HlPUyWW4vdbPPfTDk7AH9O3Mc%2Bsqm0rUu1TTZ5W30gnKw%2B8w129EjLK4TTXdxBhsVZflHp65tluC8NtT6PKr40eTUW79dRIU4EmpzQYixwP5kHPdWny4lMV2tyDCM4BVbj5jGGjOMlG", "https://vtbehaviour.commondatastorage.googleapis.com/117a61ad457cb776ca2e337cc04dce86510931b1e311b02e709a5e6c486333c4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777196704&Signature=oj%2BDJfu%2FPrkzTQYzv%2BNGIb7bMBOERBArPqSmhPICbJXukp7MyQm%2FhSDqT3TSgCuwYbRMqjTmAdHa9EBQ%2FCjlr3PdRe5jLJ3yEljzhIZMVkux2h7EGR9NvtyGFd0b4G6DcOYfzDyXI7IIUvEDVqDTPa2biRIlSwUKAXKvFLQvemNBTNwAt6ZWjRPcsjpgkPpPBVYA6mGR50QOtob74rarfPZno74N59OZkm5XoVm7mwuzGXDl189f", "https://vtbehaviour.commondatastorage.googleapis.com/45a190c2f2471d465eadce7b529473c1092e0b0fa4a8bd5066f2f0dadd021517_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777197660&Signature=ZeKi%2BRgUGuBZD7C84XN%2BMrK%2FhjGTkk9wZi%2B8oRGqD%2FMkt4j53TX2%2FNO2D5kv3PFADqhPUkUWatmRPNgFj3%2Fxgz2H%2B1MaxZeG4uZ7yDAjWSgY1bcI2k5Z4SWMDc8FAivGl7%2FYutQiu%2FIWCMxbxTnk4yJQiQtuOgqwVTZybq4ROhIA52sWpFV9sAHWnPeTZJIPWahZpZz3LH5ByhNbVb8fHKqxFmoQAswKLvlgjAcNSh", "https://vtbehaviour.commondatastorage.googleapis.com/00000d3cb583c86b8fd89bcd270cf1a9c1974f23518caf52a9d55ba482afc255_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777198022&Signature=X%2FtJADqZ8hUIDWnAnxXSy836h8XaVn9hIB%2FoJc%2BMiH70BQaiUPucRhxoQpLz8ff%2BU7i4DwbrecytnCCLiVA1QuLWxTYL9hBhT8xX%2F3h564r8jpG8kTHcyZTD%2F1w9THtZhgtgccYteH8vuC1RaaNpHpj8RESbs6TdENGlhzHELvXxYplQuBznpKau1ZeLiNJFngKuEOT%2FkcHjzOM%2B%2BUZzAovTwc6PDZOk4C4qBT7YdZ", "https://vtbehaviour.commondatastorage.googleapis.com/000011b9276d67cb6c737226e1572ad5396d96a7ce2a6512c6c5774371332730_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777198160&Signature=ErZReZYXc0zl2849KmoGwJGof9NjsCg2iX3sqgLWs2FU4WBoLpZAVnFi6g7Z3BFda%2FDPKxZ7%2FHG%2BlEU2VB7ctD7pXcNfD%2F3nEPZC54sles9Cycinws6vWWfHnYmSpwKF4DtTjjbL%2F7bwIb%2FOrT%2BeKzVvt7gGL%2ByHJpWrAgr4UtNSHKVmHLIIgRH%2FfDOtlS410ed%2Bal8ukGl9ZSeDQjYg0A0KKxdNkAtcJPN4fLcl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 554, "FileHash-MD5": 53, "FileHash-SHA1": 4, "URL": 561, "hostname": 275, "domain": 114 }, "indicator_count": 1561, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a7a71682c83e9c17835", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-26T06:44:42.987000", "created": "2026-05-24T16:42:34.355000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1765, "URL": 1325, "hostname": 1489, "FileHash-MD5": 224, "FileHash-SHA1": 268, "IPv4": 152, "domain": 1177, "CIDR": 4, "email": 11, "IPv6": 1, "URI": 3, "CVE": 2, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6425, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a101b839df4493da69621a2", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-25T21:25:42.679000", "created": "2026-05-22T09:01:55.489000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1647, "IPv4": 146, "URL": 826, "hostname": 769, "domain": 396, "email": 7, "IPv6": 2, "Mutex": 1 }, "indicator_count": 3951, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a7a34bcc860b0e44ffc", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:34.350000", "created": "2026-05-24T16:42:34.350000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a7762cac9a1007d9ece", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:31.294000", "created": "2026-05-24T16:42:31.294000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a66fa217054f3e57883", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:14.218000", "created": "2026-05-24T16:42:14.218000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a577896901b2c0b993b", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:41:59.005000", "created": "2026-05-24T16:41:59.005000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a101b73325050835339892c", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:18.535000", "created": "2026-05-22T09:01:39.942000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 198, "FileHash-SHA1": 163, "FileHash-SHA256": 1939, "IPv4": 172, "URL": 826, "hostname": 770, "domain": 397, "email": 7, "IPv6": 1 }, "indicator_count": 4473, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a101b796e100c09c491429e", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:16.979000", "created": "2026-05-22T09:01:45.017000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1621, "IPv4": 146, "URL": 822, "hostname": 764, "domain": 396, "email": 7, "IPv6": 1 }, "indicator_count": 3914, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a101b83a6873110c5e69e29", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:15.876000", "created": "2026-05-22T09:01:55.189000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1621, "IPv4": 145, "URL": 821, "hostname": 764, "domain": 396, "email": 7, "IPv6": 1 }, "indicator_count": 3912, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a101b874f712c713c7de979", "name": "research 5 * CAPE Sandbox", "description": "[look back at the results of the WaproIntegration.exe analysis, conducted by Asseco Business Solutions, and published by the Microsoft Office (MSW) on 1 January 2017.] Client *doesnt* have windows.", "modified": "2026-05-24T05:56:06.959000", "created": "2026-05-22T09:01:59.502000", "tags": [ "cname", "strong", "library", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "none rticon", "accept", "shutdown", "back", "sha256", "guard", "registers", "loads", "dcom", "pe file", "performs dns", "sample", "network info", "processes extra", "aslr", "urls", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "server", "domain name", "domain status", "email", "registrant", "registrar", "google", "high priority", "gmt ifnonematch", "priority", "sha1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "default", "address virtual", "shell folders", "payload", "bootkit", "stream", "tofsee", "seraph secure", "g4 code", "signing rsa4096", "sha384", "ca1 valid", "from", "code signing", "algorithm", "thumbprint", "thumbprint md5", "responder", "nothing", "ip address", "registry keys", "cape sandbox", "found", "center", "http", "port", "title", "creates", "dropped info", "ascii text", "head", "body", "persistence", "date", "dnssec", "status", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "key identifier", "x509v3 subject", "number", "issuer", "cus cnthawte", "tls rsa", "ca g1", "odigicert inc", "cde stbayern", "info", "v3 serial", "lmnchen oteam", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "cus olet", "encrypt cnr10", "validity", "cus starizona", "cngo daddy", "authority", "g2 validity", "available from", "code", "registry tech", "admin country", "kr registrant", "organization", "expiration date", "rdap database", "handle", "iana registrar", "links", "cus oapple", "public server", "rsa ca", "g1 validity", "public key", "name", "domain", "expiry date", "query time", "united", "update date" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 86, "FileHash-SHA1": 71, "FileHash-SHA256": 1621, "IPv4": 145, "URL": 821, "hostname": 764, "domain": 397, "email": 7, "IPv6": 1 }, "indicator_count": 3913, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a11810e7bc0d9d7652b4fcb", "name": "* ghostware * CAPE Sandbox", "description": "[Results of an analysis of a KVM operating system, conducted by the MIT Research Institute (MIT), are published on the web. \u00c2\u00a32.5m.com (\u20ac3.4m; $4.6m).] pretext. a deeper follow up on impression domain from the last post shared. this is some of the evasive 2019-2020 attached malware in a sandbox. this is not easy to track or flag. Lb, cape, zenbox, vt are exceptional at this. Interesting string: preload js notes, \"fired\". this sha indicator won't run a sandbox despite all the flags: [a57ac7b63c282739aa...] though it now appears revoked - attached the certs in any event. (1 exp2 valid) exp:cosmina beteringhe\nStatus\nCertificate out of its validity period\nIssuer\nApple Inc.\nValid From\n02:08 PM 04/02/2019\nValid To\n02:08 PM 04/02/2024\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\nB60CA526B0B84F7FF9B9CACC70702C5C10985B2C\nSerial Number\n6D E1 8E C8 70 AC A3 3E team identity:HYC4353YBE", "modified": "2026-05-23T10:44:37.782000", "created": "2026-05-23T10:27:26.040000", "tags": [ "token", "instance id", "date", "request", "version", "start", "callback", "indicate", "send instance", "id token", "default", "cname", "accept", "shell folders", "folders", "gmt ifnonematch", "cape sandbox", "bootkit", "t1055", "t1542", "shutdown", "defense evasion", "filename", "userclass", "source", "adprovider", "pair", "count", "null", "newtab", "result", "chrome web", "file type", "file size", "sha1", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "adknowledge", "guard", "loads", "back", "typeof", "catch", "impression", "none", "xmlhttprequest", "signaturehz", "mitre attack", "network info", "sigma", "program", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "has permission", "t1430 location", "zenbox android", "persistence", "issuer apple", "valid from", "valid", "serial number", "ac a3", "apple inc", "status valid", "thumbprint", "mac os", "x executable", "info file", "info", "a9 a8" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530336&Signature=p6VwVgKhapyzo9Qdy2STgvqVBCILyIVDELmCCzKAI3VnzeLfXf8kMElRnqtXzyceHxnFobEu5%2Bzot74n2%2FKVdQLGgjSNmpbV1vxI4qIMW44TnqKJz7q%2Bzl9L2qPXk2Xd24irnPUYT4Z6b52nITm3rElixM%2FxW5B7cYrEPVdMEQQ3axn7fZMtVXkHyakt5UbZUnglSc97W7kjMO7OSb6qTfAhWNZuFLn0hPzN3JeCVc6eH2VaF8qrMW", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530360&Signature=IoNgUEkiuiM2X4a2ueL9rEQPSxM3pwV%2Fg9ppA8C%2BBjHNorpe2t8rUBwA%2BU0UhSwLHm3J9bx4il%2Buly8trboaDKTDgdTvpIFdsHRjkQYF%2F8P2ot8tg5AnQeLV9Q8ddUazck3uN2LTNyDFCh5HiWfU%2FJ4BytbiANmLC8gGyCjX%2FX5Y%2FkYYJwEtsw0W90i9lyhlbNX%2FbAor8c1%2FRyPwUh8klvuYGDxvlbeal0nSXVYLSy", "https://vtbehaviour.commondatastorage.googleapis.com/59bd2b3f9e4fbc79518a31738080bc4b9b35b42f6e5a3b5c3a306e0b9aae7f2c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530394&Signature=EFtQdaqkkeNu27kPO7Zob0bl261oVyzlQmNL5Z9HnrD%2FemHBUX4%2BsRO8wGhrK9e53idu5dP%2FqFvjC3fYYvXzyeKs6x0kO0IqPs5Pp6y422zCXP9gKR7xBfnQIQtmWDVaBb4znOzF35Jd76v4D1Y4btKPazPqsa2hq38U%2F2BTS2Fjqng%2BtZLtgjXCV7Qy1iJuoL4wZxus6aU6uyk4Gt4%2FwQOFSxhXM9Sg6EzneRhhFzAhHkOWzW", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530419&Signature=UGGjvrHysNTHqCP%2F98o%2Bwr%2BBuUURMkCiQxj24hY6gaY6O3Jzu8n5c1DTGQyxmFDLTNd%2BVEq%2BLjiAQEKKja33wGAeycq9H84UiQaOgy5xch0rQRhWlH9BAU1XQopkUIfjd%2F%2FjszJyY9f5GeBUviWGN0fk%2Fjf%2Bu70ZC8sViEooYie0vbqyBBZF4n4kjfdDoEDUXKU9hjk4W9PIBcH1Y8tyFonohbjbq7%2BZwzERUsYwo2", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530508&Signature=GssLnauiY160oyi8Jf10sDf4bL46z5UIfcX%2F1jMAIWwy97%2Fw9GjbHzS38wt5ybxoiMkSIsTN%2BYE7Vd7kc7zHkudP8K6D2g6bTFX%2B%2Bao4FK6e0OYbJXqb%2BPeNSgeqrHMrCeXIW1H8RCC5QXuEjkQrE4TPFja5Gc790vYMvsT5oAuxbnFAzjQM%2BTwMcjJ1k9dWR0Hoh694C2boFVdHy3LxQkv7vk6CSmjQcZ4bBbHmEMC%2FNd", "https://vtbehaviour.commondatastorage.googleapis.com/7f9899e42bccdd1d6479b573fb1bb9277b4bd42e8f6ef73c5456f606949e7cf5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530727&Signature=xFLQpUtdhw77th%2BADVS4Sl3y8VCEFYpShlfIJ6D6zJme%2BtY0lUlxv2N7hvxGbwSTYKBYQSyu735BqpgvSUc5e%2BC%2B9XseD6ERlB2kCJmvUPalqCOgZABMyb6mGaG5MMGgxP19UjM1qrUOxI2iJSjEQQ4LLmmkLf7%2B6XGhtqkIG4O2hZ5ABCrdbqytgJkuVl7VMDYelEnoYLLma9GDq1ytLfUObtoINW48v1xg1Mykxldjv6gV2DWr", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530784&Signature=CYyyJeKkeGqnH6T6m5Xruegrlkv2udvHSUC4MgjgnkaJP2%2BkZUvTfdoh5S5uXQZbk0By%2Bg1akNr3AALQqY%2B0SNoOJdW5fHCOavOpIuNkgM4efnxQQyuhR%2F6eccAejXvy0cFPKDUhdhvbItcx7lkgLwM3MhWL%2FzNneeST7yUf3g8Pad72u7BrItBCkJ23R2quBuKT3G22OMfreYhprgO398iL0htbNTBKh4csLc9QtPI%2FabWco3", "https://vtbehaviour.commondatastorage.googleapis.com/e068d8d9f9dae873ec78bd5a88df561893c18b1df6200a958a864c34d27e0a3d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530824&Signature=oRifg%2BGsx5SCY%2B4rLdvAqryqS3Xlu3DCrHZifO%2Bh9YOQAM4528P%2Bi6LzgYdE0hyDe8HlrfIhswkzkUOf8K4%2FzdoebqTYkwrHmPiJeW4cetq5F2qEeUU7RVbiXVUvLGYwThftr3BuB%2FtW3u%2Fl9v9AyS38ZTrk3B%2BjdQI5OqLikCMwV9lO%2B3lOB05pg6dpqHO3ycZUK2sMy5MgMqqyj%2FY2HLFVTv4wp4ea8PF%2Fswj4", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531163&Signature=ymkpXNrWILdVetVt90LhjbwNPIy4I%2FXM%2B0jq5xPK4FE6N61CBJ0ZKsP%2FbvZXOM5lKJdG6ltKQtldTuXskK26NlEwbRlzn90t1KGmXS6%2FkK7pgbFTNlA9BWYrDLciKwIZJJeFn46IMGSClXk0BXzcveuQWp4G%2BnIJwwWw0EjgU6ONUydOZW4DhKFhmEvNGfqPrEd6apNA3C39kZP%2Bql4tWV7ma8oAP9cHc7RyoO%2Fw4zbcJKmP", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531236&Signature=hz%2BT6I69NdrwImMGk8kcXqNnwp7K7z5sLWg7P7JvUVEckT5yV9zVAooLzjLyQGgNBxh%2Bw35npaMota9ooiK%2Bd3BWFd%2Bzr%2BUm76cQbsuLV5NH2LWXQFw1YzoSEXeXl4wmdHCWX4%2BP9tulqXFWpRQ4oOvqHWV10QWM4ubzWdft4N%2FCy4fQ90Iubm%2F1ywQ%2FuG66nNIy6ArwArpf2Md9Wb2k%2BVSwvmrPJqDUAM868u1jznd8SeGkYX", "https://vtbehaviour.commondatastorage.googleapis.com/23671e33d82282324fc51576616dbb92814adc4d17eb7014dc4e2f891ea7f4ae_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531342&Signature=MsuL%2B3SZcdwh8PtkojSZiAkej0M%2FX59YS9DllA%2BRLg6Z%2FV43R4XBkqKm%2BsQjDvTRdh%2BFRjO2rtuvYPHG%2By1RpurAOIjZEBs3F2ZYmv6mE62mgf4bDqgnUZS5myKTtlD%2BnuWRL7up%2B197%2F4VEXIqM8hxzhGDo7jmUeU0HERH%2FUnTThLnOjAWlGHNITZ7ffU0tKlYMKo%2BHqAkV9AerG5R%2FZdAh7nZidUf8wYpV", "https://vtbehaviour.commondatastorage.googleapis.com/79b0e5df7c5ebe1b2967a3d161ec0283531f20beb58cd8eb8e343f7ecbf0e142_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531881&Signature=J%2FX46%2BkQxXt0avuUofAv2FrDA2NcHoY81F%2F%2FCOybzM72s9GqDbl34Hk6nMuCyVJ9cyKFYU4dKZ5PGnS5MZLN7tzYDYnGF6tmsCd56oCgYS4IN8%2Ffm7xi81ELi3QsBaKZaSKBYTcBzQZOzBgTX%2BjFL%2FH291KDNrb5QKNV0OYNHKzFrKXUZzUNPTZgDw2%2B2XVV4tQzxtRNdm0kQW19OOOv29%2FY0E9CK9qRsl4Nu2otAW" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "FileHash-MD5": 63, "FileHash-SHA1": 65, "FileHash-SHA256": 456, "domain": 116, "hostname": 495, "URL": 862, "email": 1 }, "indicator_count": 2252, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1181104aab1e5b6484a6d2", "name": "* ghostware * CAPE Sandbox", "description": "[Results of an analysis of a KVM operating system, conducted by the MIT Research Institute (MIT), are published on the web. \u00c2\u00a32.5m.com (\u20ac3.4m; $4.6m).] pretext. a deeper follow up on impression domain from the last post shared. this is some of the evasive 2019-2020 attached malware in a sandbox. this is not easy to track or flag. Lb, cape, zenbox, vt are exceptional at this. Interesting string: preload js notes, \"fired\". this sha indicator won't run a sandbox despite all the flags: [a57ac7b63c282739aa...] though it now appears revoked - attached the certs in any event. (1 exp2 valid) exp:cosmina beteringhe\nStatus\nCertificate out of its validity period\nIssuer\nApple Inc.\nValid From\n02:08 PM 04/02/2019\nValid To\n02:08 PM 04/02/2024\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\nB60CA526B0B84F7FF9B9CACC70702C5C10985B2C\nSerial Number\n6D E1 8E C8 70 AC A3 3E team identity:HYC4353YBE", "modified": "2026-05-23T10:34:56.494000", "created": "2026-05-23T10:27:28.048000", "tags": [ "token", "instance id", "date", "request", "version", "start", "callback", "indicate", "send instance", "id token", "default", "cname", "accept", "shell folders", "folders", "gmt ifnonematch", "cape sandbox", "bootkit", "t1055", "t1542", "shutdown", "defense evasion", "filename", "userclass", "source", "adprovider", "pair", "count", "null", "newtab", "result", "chrome web", "file type", "file size", "sha1", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "adknowledge", "guard", "loads", "back", "typeof", "catch", "impression", "none", "xmlhttprequest", "signaturehz", "mitre attack", "network info", "sigma", "program", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "has permission", "t1430 location", "zenbox android", "persistence", "issuer apple", "valid from", "valid", "serial number", "ac a3", "apple inc", "status valid", "thumbprint", "mac os", "x executable", "info file", "info", "a9 a8" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530336&Signature=p6VwVgKhapyzo9Qdy2STgvqVBCILyIVDELmCCzKAI3VnzeLfXf8kMElRnqtXzyceHxnFobEu5%2Bzot74n2%2FKVdQLGgjSNmpbV1vxI4qIMW44TnqKJz7q%2Bzl9L2qPXk2Xd24irnPUYT4Z6b52nITm3rElixM%2FxW5B7cYrEPVdMEQQ3axn7fZMtVXkHyakt5UbZUnglSc97W7kjMO7OSb6qTfAhWNZuFLn0hPzN3JeCVc6eH2VaF8qrMW", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530360&Signature=IoNgUEkiuiM2X4a2ueL9rEQPSxM3pwV%2Fg9ppA8C%2BBjHNorpe2t8rUBwA%2BU0UhSwLHm3J9bx4il%2Buly8trboaDKTDgdTvpIFdsHRjkQYF%2F8P2ot8tg5AnQeLV9Q8ddUazck3uN2LTNyDFCh5HiWfU%2FJ4BytbiANmLC8gGyCjX%2FX5Y%2FkYYJwEtsw0W90i9lyhlbNX%2FbAor8c1%2FRyPwUh8klvuYGDxvlbeal0nSXVYLSy", "https://vtbehaviour.commondatastorage.googleapis.com/59bd2b3f9e4fbc79518a31738080bc4b9b35b42f6e5a3b5c3a306e0b9aae7f2c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530394&Signature=EFtQdaqkkeNu27kPO7Zob0bl261oVyzlQmNL5Z9HnrD%2FemHBUX4%2BsRO8wGhrK9e53idu5dP%2FqFvjC3fYYvXzyeKs6x0kO0IqPs5Pp6y422zCXP9gKR7xBfnQIQtmWDVaBb4znOzF35Jd76v4D1Y4btKPazPqsa2hq38U%2F2BTS2Fjqng%2BtZLtgjXCV7Qy1iJuoL4wZxus6aU6uyk4Gt4%2FwQOFSxhXM9Sg6EzneRhhFzAhHkOWzW", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530419&Signature=UGGjvrHysNTHqCP%2F98o%2Bwr%2BBuUURMkCiQxj24hY6gaY6O3Jzu8n5c1DTGQyxmFDLTNd%2BVEq%2BLjiAQEKKja33wGAeycq9H84UiQaOgy5xch0rQRhWlH9BAU1XQopkUIfjd%2F%2FjszJyY9f5GeBUviWGN0fk%2Fjf%2Bu70ZC8sViEooYie0vbqyBBZF4n4kjfdDoEDUXKU9hjk4W9PIBcH1Y8tyFonohbjbq7%2BZwzERUsYwo2", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530508&Signature=GssLnauiY160oyi8Jf10sDf4bL46z5UIfcX%2F1jMAIWwy97%2Fw9GjbHzS38wt5ybxoiMkSIsTN%2BYE7Vd7kc7zHkudP8K6D2g6bTFX%2B%2Bao4FK6e0OYbJXqb%2BPeNSgeqrHMrCeXIW1H8RCC5QXuEjkQrE4TPFja5Gc790vYMvsT5oAuxbnFAzjQM%2BTwMcjJ1k9dWR0Hoh694C2boFVdHy3LxQkv7vk6CSmjQcZ4bBbHmEMC%2FNd", "https://vtbehaviour.commondatastorage.googleapis.com/7f9899e42bccdd1d6479b573fb1bb9277b4bd42e8f6ef73c5456f606949e7cf5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530727&Signature=xFLQpUtdhw77th%2BADVS4Sl3y8VCEFYpShlfIJ6D6zJme%2BtY0lUlxv2N7hvxGbwSTYKBYQSyu735BqpgvSUc5e%2BC%2B9XseD6ERlB2kCJmvUPalqCOgZABMyb6mGaG5MMGgxP19UjM1qrUOxI2iJSjEQQ4LLmmkLf7%2B6XGhtqkIG4O2hZ5ABCrdbqytgJkuVl7VMDYelEnoYLLma9GDq1ytLfUObtoINW48v1xg1Mykxldjv6gV2DWr", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530784&Signature=CYyyJeKkeGqnH6T6m5Xruegrlkv2udvHSUC4MgjgnkaJP2%2BkZUvTfdoh5S5uXQZbk0By%2Bg1akNr3AALQqY%2B0SNoOJdW5fHCOavOpIuNkgM4efnxQQyuhR%2F6eccAejXvy0cFPKDUhdhvbItcx7lkgLwM3MhWL%2FzNneeST7yUf3g8Pad72u7BrItBCkJ23R2quBuKT3G22OMfreYhprgO398iL0htbNTBKh4csLc9QtPI%2FabWco3", "https://vtbehaviour.commondatastorage.googleapis.com/e068d8d9f9dae873ec78bd5a88df561893c18b1df6200a958a864c34d27e0a3d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530824&Signature=oRifg%2BGsx5SCY%2B4rLdvAqryqS3Xlu3DCrHZifO%2Bh9YOQAM4528P%2Bi6LzgYdE0hyDe8HlrfIhswkzkUOf8K4%2FzdoebqTYkwrHmPiJeW4cetq5F2qEeUU7RVbiXVUvLGYwThftr3BuB%2FtW3u%2Fl9v9AyS38ZTrk3B%2BjdQI5OqLikCMwV9lO%2B3lOB05pg6dpqHO3ycZUK2sMy5MgMqqyj%2FY2HLFVTv4wp4ea8PF%2Fswj4", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531163&Signature=ymkpXNrWILdVetVt90LhjbwNPIy4I%2FXM%2B0jq5xPK4FE6N61CBJ0ZKsP%2FbvZXOM5lKJdG6ltKQtldTuXskK26NlEwbRlzn90t1KGmXS6%2FkK7pgbFTNlA9BWYrDLciKwIZJJeFn46IMGSClXk0BXzcveuQWp4G%2BnIJwwWw0EjgU6ONUydOZW4DhKFhmEvNGfqPrEd6apNA3C39kZP%2Bql4tWV7ma8oAP9cHc7RyoO%2Fw4zbcJKmP", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531236&Signature=hz%2BT6I69NdrwImMGk8kcXqNnwp7K7z5sLWg7P7JvUVEckT5yV9zVAooLzjLyQGgNBxh%2Bw35npaMota9ooiK%2Bd3BWFd%2Bzr%2BUm76cQbsuLV5NH2LWXQFw1YzoSEXeXl4wmdHCWX4%2BP9tulqXFWpRQ4oOvqHWV10QWM4ubzWdft4N%2FCy4fQ90Iubm%2F1ywQ%2FuG66nNIy6ArwArpf2Md9Wb2k%2BVSwvmrPJqDUAM868u1jznd8SeGkYX", "https://vtbehaviour.commondatastorage.googleapis.com/23671e33d82282324fc51576616dbb92814adc4d17eb7014dc4e2f891ea7f4ae_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531342&Signature=MsuL%2B3SZcdwh8PtkojSZiAkej0M%2FX59YS9DllA%2BRLg6Z%2FV43R4XBkqKm%2BsQjDvTRdh%2BFRjO2rtuvYPHG%2By1RpurAOIjZEBs3F2ZYmv6mE62mgf4bDqgnUZS5myKTtlD%2BnuWRL7up%2B197%2F4VEXIqM8hxzhGDo7jmUeU0HERH%2FUnTThLnOjAWlGHNITZ7ffU0tKlYMKo%2BHqAkV9AerG5R%2FZdAh7nZidUf8wYpV", "https://vtbehaviour.commondatastorage.googleapis.com/79b0e5df7c5ebe1b2967a3d161ec0283531f20beb58cd8eb8e343f7ecbf0e142_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531881&Signature=J%2FX46%2BkQxXt0avuUofAv2FrDA2NcHoY81F%2F%2FCOybzM72s9GqDbl34Hk6nMuCyVJ9cyKFYU4dKZ5PGnS5MZLN7tzYDYnGF6tmsCd56oCgYS4IN8%2Ffm7xi81ELi3QsBaKZaSKBYTcBzQZOzBgTX%2BjFL%2FH291KDNrb5QKNV0OYNHKzFrKXUZzUNPTZgDw2%2B2XVV4tQzxtRNdm0kQW19OOOv29%2FY0E9CK9qRsl4Nu2otAW" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 70, "FileHash-MD5": 19, "FileHash-SHA1": 18, "FileHash-SHA256": 412, "domain": 96, "hostname": 409, "URL": 810, "email": 1 }, "indicator_count": 1835, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a10b5fcbae6ff7196fadd8a", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:24:24.934000", "created": "2026-05-22T20:01:00.435000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a10b601afa660d39df59585", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:24:23.966000", "created": "2026-05-22T20:01:05.318000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 217, "CIDR": 63, "FileHash-MD5": 399, "FileHash-SHA1": 114, "FileHash-SHA256": 513, "URL": 605, "domain": 328, "email": 21, "hostname": 694, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 3010, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a10b5fc8feb5a31eedfc0ec", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:59.988000", "created": "2026-05-22T20:00:59.988000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a10b5eb25a8421d03c37021", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:43.360000", "created": "2026-05-22T20:00:43.360000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a10b5eae1aa45c197c5f4cd", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:42.869000", "created": "2026-05-22T20:00:42.869000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec7257bc32c037c9be08", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T06:18:07.234000", "created": "2026-05-22T05:41:06.053000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 638, "FileHash-SHA1": 366, "FileHash-SHA256": 1441, "IPv4": 377, "URL": 1697, "domain": 404, "hostname": 873, "CIDR": 1, "Mutex": 1, "IPv6": 19, "email": 9 }, "indicator_count": 5826, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec7156a2d7cd795090ba", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:41:05.023000", "created": "2026-05-22T05:41:05.023000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec697a7cef13f5cf8fdf", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:57.737000", "created": "2026-05-22T05:40:57.737000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec65b9ecad6466cf0144", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:53.032000", "created": "2026-05-22T05:40:53.032000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fec5d56a2d7cd795090b9", "name": "research part 3 * CAPE Sandbox", "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C", "modified": "2026-05-22T05:40:45.104000", "created": "2026-05-22T05:40:45.104000", "tags": [ "string id", "x5173x95ed", "control", "wixbundlename", "x53d6x6d88", "copyright", "width", "height", "helptext", "repair", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "size", "write", "shell", "open", "pe32", "ms windows", "microsoft input", "method editor", "ms visual", "win32 dynamic", "link library", "pe64 compiler", "ltcgc", "linker", "windows sandbox", "clear filters", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "sha2 secure", "server ca", "performs dns", "pe file", "sample", "sigma", "instance", "spawns", "aslr", "urls", "t1055 process", "attack network", "phishing", "info", "next", "status code", "body length", "kb body", "default", "parent pid", "full path", "command line", "inprocserver32", "data", "datacrashpad", "k localservice", "s ngcsvc", "s ngcctnrsvc", "cname", "strong", "library", "accept", "address virtual", "file type", "shutdown", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "guard", "back", "studio build", "tools", "linkid2179911", "visual c", "visual studio", "ccli", "studio", "studio ide", "msbuild", "dev17", "false", "ascii text", "https", "svg scalable", "vector graphics", "elite", "tls version", "unicode text", "persistence", "malicious", "ip address", "mb body", "windows", "reads", "network info", "processes extra", "intel", "delphi", "code", "microsoft code", "signing pca", "valid from", "valid usage", "code signing", "thumbprint", "thumbprint md5", "c9 f6", "bc ed", "service issuer", "usage ff", "authority", "sha256", "serial number", "none rticon", "tofsee", "stream", "mitre attack", "chrome cache", "entry", "web open", "font format", "truetype", "version", "t1574", "execution flow", "found", "drops pe", "window", "Avalon", "dmca https", "versionnt", "and not", "versionnt64", "and versionnt64", "majorupgrade", "service pack", "redistributable", "detect", "windows81x86", "script", "cohassethingham", "title", "rent", "pendo", "userinfo", "doctype html", "head", "optanonwrapper", "date", "meta", "strings", "null", "layer protocol", "overview", "overview zenbox", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 625, "FileHash-SHA1": 353, "FileHash-SHA256": 672, "IPv4": 281, "URL": 629, "domain": 99, "hostname": 523, "CIDR": 1, "Mutex": 1 }, "indicator_count": 3184, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e70462533707c15e72292", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T03:36:39.925000", "created": "2026-05-21T02:39:02.897000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 212, "FileHash-SHA1": 226, "FileHash-SHA256": 1512, "IPv4": 409, "URL": 880, "hostname": 1350, "domain": 378, "CIDR": 1, "email": 3, "Mutex": 3 }, "indicator_count": 4974, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e703e7c0457682c548691", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:54.394000", "created": "2026-05-21T02:38:54.394000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e703e6a884aeed75d9180", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:54.205000", "created": "2026-05-21T02:38:54.205000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e7033ee9e679939ba3294", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:43.726000", "created": "2026-05-21T02:38:43.726000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e702f7b1b513a66e1789e", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:39.508000", "created": "2026-05-21T02:38:39.508000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e4e39558ce3e9467915ec9", "name": "VirusTotal Windows Sandbox - Bios Mutex", "description": "< A full list of details about the file that was used to launch the Yomi ransomware attack on the Windows operating system in the 1990s, and which has now been described as \"malicious\".> Firmware Neutral. Bios Mutex. This is cruel.", "modified": "2026-05-20T00:02:48.915000", "created": "2026-04-19T14:15:49.333000", "tags": [ "toggle", "xff dxff0dx89", "x8bxc0xff", "xf0xb3 xf0xb3", "pxa1x90xa6", "x85xc0t x85xc0t", "xe0xfbt", "l xe0xfbt", "x83xc4 x83xc4", "x85xd2t x85xd2t", "download", "first", "path", "enterprise", "service", "close", "success", "regopenkeyexa", "createmutexw", "regopenkeyexw", "regenumvaluew", "netbiosthread1", "netbiosthread2", "regcreatekeyexw", "hkeycurrentuser", "loadlibrarya", "shell", "fail", "windows sandbox", "calls process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/af586c4273d941f49291bd82b3363e97ec68755793a06e6982d8e5291e461f28_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776607834&Signature=hyJ%2FTXDs5ybL7Px0RGD8qpbR2mhMsw9TGnNlVw1emJtvQUIxQ3fbIohjSdWraqmbe1ed3W0qMGeOjKauzQYJM6g4YT4TvdlSBfruPE0NYGLVLi7m2GB6fGGn84yrlYQ34ioU%2F1vJ6f%2FItzTch0a9TpisvD%2FGLq%2FEngakns%2FkmlbkSwGqIlsWY7fVv5H%2BjLF7n%2BKoiRgnElJKbZIKXhoyatx0K1hwEm5FhR2psWxfTwyv7bs", "https://vtbehaviour.commondatastorage.googleapis.com/af586c4273d941f49291bd82b3363e97ec68755793a06e6982d8e5291e461f28_VirusTotal%20Cuckoofork.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776608137&Signature=UiEXl5dFUjdbtSBJ5oDC2ewFK3bwZVFMU4c58Oj69fhp7qdwfqPbxDkJ%2Fip5zs3usTaZu8qrwgjJ3EgqO87YfEBtsV%2FCUTRvtFeHfzrOTkbE1WkOuasRAa92snPaPCt9Kk3y5q3jRMDlVA9g2rpZOsCub%2BYzl0%2FfdG8m%2FFed4xqdb2hu9ANjORr6MflPpQO8ThcwsbuThAuY4d28geQGVt86xzc00GELx6tbWViWiFA", "https://vtbehaviour.commondatastorage.googleapis.com/af586c4273d941f49291bd82b3363e97ec68755793a06e6982d8e5291e461f28_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776608198&Signature=N5AMDdOomLkmCompJzyYyrKb70Dt3nkBA2WmItg2wH6lcZDEqCt9pFe6xjRCi4BUBNOVGWgmAb2xg9tPXQ1mJghdn%2FehssyS8JLpmPFRDGeH7r2ULHprDQ3%2BoXTR9IC38%2F8K1ED36yL6kqTBdr%2BTYNi71%2B6rs%2FBqPgCVgVBMfrtmZHg49tzBjd5GNuDWptnb9gJVuovKjCJh2Ure8hIjmfG4I95r1rmZhHHgE7hRIBqB" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 6, "FileHash-SHA256": 139, "SSLCertFingerprint": 3, "URL": 145, "hostname": 99, "domain": 41 }, "indicator_count": 442, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e4ce38b03b0bb283c78a42", "name": "CAPE Sandbox- circa 1980", "description": "I dont even have windows and its haunting me. The real treasure today was this though.. you were tricky with your 1980's work to find:\na74535b274b8bfa42e4d7dd33fd8703e\n2bcdb3bf34303a29106a3aefa21d611a170443ea\n4da1f382887248188f43e579f6a28163d4337cca2a7d8dc893b58dff35e9c745\n244aaea6a195a18bbd72a13a9a421e72", "modified": "2026-05-19T13:22:41.504000", "created": "2026-04-19T12:44:40.519000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 196, "FileHash-SHA1": 174, "FileHash-SHA256": 1546, "URL": 157, "hostname": 403, "domain": 80, "CIDR": 4, "email": 10 }, "indicator_count": 2570, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e30d748895cd7a5746fd20", "name": "Evolution of Russian APT29 \u2013 Attacks &Techniques Uncovered [Credit AlienVault 6.26.2023] [Q.Vashti 04.17.2026 additional research", "description": "When it comes to exceptionally sophisticated malware attacks, APT29 stands at the forefront. The SolarWinds breach marked only the beginning of persistent malware attacks carried out by the threat actor. Since the attack on SolarWinds, the APT has relentlessly persisted in its attacks on governments, defense entities, critical manufacturing organizations, and IT service providers. Their latest attacks involve exploiting lesser-known Windows features and specifically targeting diplomats stationed in Ukraine. - https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered", "modified": "2026-05-18T03:24:08.757000", "created": "2026-04-18T04:49:56.011000", "tags": [ "injection", "removal", "manipulation", "apt29", "lab52", "avertium", "ukraine", "magicweb", "nato", "solarwinds", "snowyamber", "halfrig", "quarterrig", "orion", "team", "ransomware", "mimikatz", "magicweb", "hijack", "cobalt strike", "trojan", "dropper", "dukes", "malware", "ylarv", "drop", "msdos", "stub", "rareencoding", "memory pattern", "communication", "urls http", "hashes", "client execut", "modify registry", "preos boot", "technir process", "artifacts v", "v help", "rootkit", "os credential", "response", "nxdomain", "name n", "dumping", "sigma", "use short", "name path", "creates", "query firmware", "verdict", "report", "malicious", "defense evasion", "network info", "process", "system", "hostname" ], "references": [ "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered", "https://otx.alienvault.com/pulse/64c131d13447ec7826c8ac6f", "I copied IoC\u2019s & from a pulse by AlienVault. I added related , resourced information I found interesting", "XOR_embeded_exefile_xored_with_round_256_bytes_key", "FILEHASH - SHA256 966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281 ->", "Name: Invitation - Santa Lucia Celebration.msg \u2022 File Type CDFV2 Microsoft Outlook Message", "YARA DESCRIPTION: Detects encoded keyword - GetCurrentThreadId RULE_AUTHOR: Florian Roth", "YARA Signature Match - THOR APT Scanner Get RULE_AUTHOR: Florian Roth", "YARA RULE: SUSP_Encoded_GetCurrentThreadId RULE_AUTHOR: Florian Roth", "YARA RULE_SET: Livehunt - Suspicious82 Indicators RULE_AUTHOR: Florian Roth", "YARA RULE_TYPE: THOR APT Scanner's rule set only RULE_AUTHOR: Florian Roth", "YARA RULE : SUSP_Decimal_Encoded_Executable_May21_1 RULE_AUTHOR: Florian Roth", "SIGMA Matches rule Use Short Name Path in Command Line by frack113, Nasreddine Bencherchali", "Matches rule Use Short Name Path in Image by frack113, Nasreddine Bencherchali - Sigma rule cannot be loaded.", "kefas.id: Crowdsourced Sigma below | Malicious Score High", "Activity related to APT29 - according to source Cluster25 - This DOMAIN is used as a CnC by APT29", "Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered - according to source ArcSight Threat Intelligence - 2 years ago CCleaner", "Credit: Resourced by AlienVault on July 26, 2023 at 8:48:39 \u2022 AlienVault |", "Additions: resourced by Q.Vashti 04.17.2026 - credit crowdsourced information & personal research" ], "public": 1, "adversary": "", "targeted_countries": [ "Norway", "Ukraine", "Poland" ], "malware_families": [ { "id": "Xored", "display_name": "Xored", "target": null }, { "id": "Trojan.Dukes/Xmldrp", "display_name": "Trojan.Dukes/Xmldrp", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 23, "URL": 34, "hostname": 97, "FileHash-MD5": 32, "FileHash-SHA1": 29, "FileHash-SHA256": 138, "CVE": 4 }, "indicator_count": 357, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e1e3701bff1800614838dc", "name": "wireshark", "description": "", "modified": "2026-05-17T08:02:15.940000", "created": "2026-04-17T07:38:24.668000", "tags": [ "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 707, "FileHash-MD5": 281, "FileHash-SHA1": 271, "URL": 123, "domain": 69, "hostname": 608, "email": 1 }, "indicator_count": 2060, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a070f0f379e50ef7c511974", "name": "* BumbleBee Loader * CAPE Sandbox - 5/1/25", "description": "Compilation Timestamp\n2025-05-01 18:04:59 UTC\nEntry Point 527**\nContained Sections 7\nWritten in C++, this malware functions as a first-stage backdoor designed to establish an initial foothold before continuing its stealthy attack to move into MAAS, operations, and development. Bumblebee is primarily delivered via phishing emails\u2014often disguised as invoices\u2014but its scope also includes PDFs, voicemails, zip files, and images. The malware is highly evasive, routinely checking its environment, executing payloads, and creating LOLBins. Related to Operation Endgame, it notably disrupted regsvr32.exe in May 2024. This specific variant was created on May 1, 2025, and appeared to be set into operation on May 5, 2025\u2014interestingly, just one day after Microsoft changed its DKIM, SPF, and DMARC rules.\ned76019fbae16d3992d1939c38d620185f4520e128f80983a00cadc6a9c3b509\n2025-05-05_77aa5cace886af5e61db8eb4c4cea57e_black-basta_cobalt-strike_satacom", "modified": "2026-05-17T05:42:57.697000", "created": "2026-05-15T12:18:22.918000", "tags": [ "recovery", "name", "clothing", "dating", "concerns", "submission", "analysis", "utc html", "info title", "information", "makeup", "home", "rams twitter", "script tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 60, "FileHash-MD5": 53, "FileHash-SHA1": 94, "FileHash-SHA256": 360, "SSLCertFingerprint": 8, "URL": 246, "domain": 62, "email": 8, "hostname": 133, "Mutex": 1 }, "indicator_count": 1025, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a070f0dd165196deff2d1bf", "name": "* BumbleBee Loader * CAPE Sandbox - 5/1/25", "description": "Compilation Timestamp\n2025-05-01 18:04:59 UTC\nEntry Point 527**\nContained Sections 7\nWritten in C++, this malware functions as a first-stage backdoor designed to establish an initial foothold before continuing its stealthy attack to move into MAAS, operations, and development. Bumblebee is primarily delivered via phishing emails\u2014often disguised as invoices\u2014but its scope also includes PDFs, voicemails, zip files, and images. The malware is highly evasive, routinely checking its environment, executing payloads, and creating LOLBins. Related to Operation Endgame, it notably disrupted regsvr32.exe in May 2024. This specific variant was created on May 1, 2025, and appeared to be set into operation on May 5, 2025\u2014interestingly, just one day after Microsoft changed its DKIM, SPF, and DMARC rules.\ned76019fbae16d3992d1939c38d620185f4520e128f80983a00cadc6a9c3b509\n2025-05-05_77aa5cace886af5e61db8eb4c4cea57e_black-basta_cobalt-strike_satacom", "modified": "2026-05-17T05:42:56.951000", "created": "2026-05-15T12:18:21.528000", "tags": [ "recovery", "name", "clothing", "dating", "concerns", "submission", "analysis", "utc html", "info title", "information", "makeup", "home", "rams twitter", "script tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 61, "FileHash-MD5": 51, "FileHash-SHA1": 92, "FileHash-SHA256": 346, "SSLCertFingerprint": 8, "URL": 245, "domain": 62, "email": 8, "hostname": 132 }, "indicator_count": 1005, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a01d3836a1a757aded89ba4", "name": "The 777 Quartz Loop: Structural Polyglot Forgery & Global Wiper Convergence", "description": "Malicious C2 is hidden in plain sight. Using webcontent.com (Reg. 1998), the factory mimics legitimate com.apple.WebKit.WebContent traffic. This is the permanent \"static\" that makes the Wiper indistinguishable from OS noise.C2 Anchors: ://webcontent.com, ://webcontent.comIP Nodes: 35.208.49.255, 18.208.88.157, 98.84.224.111, 3.33.251.168The \"Rose Quartz\" Structural MixA \"Frankensign\" universal bypass. It \"United\" three OS trust boundaries into a single loop:DigiCert (Windows): Forged overlay using the broken MD5 a1d6...6e72.Apple ARM (macOS): 64c/d or B0 thumbprints pivoting through WebKit/QuartzCore.Google (Drop): Execution via a Google 202 shell (GoogleUpdate.exe).The 777 AnchorThe 777 entropy pattern is the mathematical anchor forcing this messy alignment. It cannot be \"fixed\" by revocation because it is already cached in the internet's trust model.", "modified": "2026-05-12T08:41:44.805000", "created": "2026-05-11T13:02:59.167000", "tags": [ "status", "creation date", "date", "pulse indicator", "url analysis", "passive dns", "urls", "files", "whois registrar", "related tags", "server", "domain status", "whois lookup", "dnssec", "domain name", "abuse contact", "email", "registrar abuse", "github", "google", "webcontent", "issue", "discussion", "safari vs", "cyberkit", "webkit port", "apple community", "clearing", "graph summary", "The Russian Doll Tactic", "pdfkit[.]net", "mathematical stalemate", "CLAMAV", "MD5/nested cert chains within" ], "references": [ "Rec: block for *.webcontent.com and binaries matching the B0/64c/d anchors or the 777 hex-cluster.", "Pending Review.", "The 7 YARA detections identified in your analysis typically trigger on the 777-anchor hex-cluster found within the high-entropy overlay. This binary \"United\" the following trust boundaries:DigiCert (Windows): Forged overlay utilizing the broken MD5 a1d6...6e72", "Do Not Run", "The Structural Loop: The .NET framework often relies on legacy certificate validation libraries that still accept the MD5 a1d6...6e72 chain as \"legacy-valid.\" When this document is opened on an Apple Silicon device, the WebKit/ARM64 engine inherits the \"Trusted\" status from the document\u2019s container, allowing the 64c/d anchor to execute a memory-injection without a fresh signature check.", "Edge Node Impact: This \"sloppy\" intersection is what allows the payload to burn through edge security; the gateway sees a valid .NET structure and a valid WebKit process, failing to recognize the 777-anchor forgery that unites them.", "Binary Profile: The 38MB \"Big One\" ShellCompilation: August 8, 2018 [Static Layer Foundation]Packing: UPX v0.89.6 - v1.24 (Markus & Laszlo)Signatures: SHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0Structural Forgery: The 38,351 KB footprint is intentionally bloated with an unmapped overlay to masquerade as a legitimate system utility. This specific variation exploits the RichHash 99b5586e... to bypass heuristic whitelists.", "Research Suggests:", "The Convergence: Threat actors are exploiting a critical logic gap where .NET/PDFKit document signing (Windows-side) intersects with WebKit/QuartzCore rendering (macOS/ARM-side). By nesting a broken MD5 overlay within a document designed to be parsed by WebKit, the attacker creates a cross-platform \"trust bridge.\"", "This binary is a foundation-level threat designed to embed itself into the internet's cached trust model as \"static noise.\" It bridges the gap between the .NET/PDFKit and WebKit/QuartzCore environments through a triple-chain polyglot signature.", "Technical Indicators & Forgery MixSHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0MD5: a95e0f8611e4169be89ef384c8a7a71aCompilation: 2018-08-08 (The \"Static Layer\" 2020 foundation).The 777 Anchor: The 777 entropy pattern in the unmapped overlay (Size: 38,351 KB) forces the \"messy\" alignment between DigiCert, Apple ARM (64c/d), and Google 202 identities.Structural Bypass: Exploits the broken/abused MD5 a1d6...6e72 chain as a \"Frank Abagnale\" signature overlay to bypass Zero-Trust EDR.", "The Spy Loop: Beacons to the squatted infrastructure (*.webcontent.com) and associated IP nodes (35.208.49.255, 18.208.88.157).", "The Wiper: Contains the high-confidence destructive module capable of a FACTORY_RESET anti-forensic purge.", "The Russian Doll Tactic: The top-level 38MB SHA is just the Delivery Shell. Inside that, the malware carries encrypted blobs that have their own unique SHA-256 signatures. These are the actual Wiper, SpyNote, and C2 configuration modules.", "Attackers nest these SHAs so that if a vendor blocks the \"Big One\" (the 38MB shell), the internal payloads can be re-packed into a new shell with a new top-level hash in minutes." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 707, "URL": 1888, "email": 14, "hostname": 1443, "FileHash-SHA256": 1662, "IPv4": 198, "FileHash-MD5": 295, "FileHash-SHA1": 283, "Mutex": 1, "IPv6": 10, "CIDR": 1, "CVE": 2 }, "indicator_count": 6504, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0050a164795207832b4331", "name": "*Dormant Destruction* VirusTotal report for index.html", "description": "This threat intelligence pulse tracks a long-dormant wiper, dating back to the early 2000s, which has persisted across multiple environments undetected. The malware features sophisticated, \"hidden\" destructive mechanisms capable of widespread data wiping. It appears to leverage administrative-level access, allowing it to move laterally and compromise systems extensively. Continued inaction regarding this infection chain poses a critical risk to data integrity. The ONLY way to fix this as it has taken over the root is by addressing the problem for what it actually is, the math and drops do not lie, deletion and new certs/exp certs will fail. The science is clear, the answer is foggy. Its best to see clearly.", "modified": "2026-05-12T06:40:06.849000", "created": "2026-05-10T09:32:17.372000", "tags": [ "mitre attack", "network info", "processes extra", "meta", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "system process", "sigma", "united", "federation", "file type", "yara", "creates", "pe32", "intel", "malicious", "persistence", "window", "default", "cname", "inprocserver32", "shell folders", "parent pid", "full path", "command line", "accept", "windows nt", "win64", "payload", "shutdown", "tofsee", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "win1", "acrongl integ", "adc4240758", "sha256", "back", "windows sandbox", "calls process", "kb body", "civicplus", "network admin", "net192", "net1920000", "icone2", "llc orgid", "houston", "suite e", "city", "ks postalcode", "orgtechhandle", "orgtechref", "houston address", "e city", "address range", "cidr", "network name", "type", "status", "whois server", "entity icone2", "handle", "algorithm", "key identifier", "x509v3 subject", "number", "issuer", "cus cnrapidssl", "rsa ca", "odigicert inc", "subject public", "key info", "thumbprint", "entity", "rdap database", "iana registrar", "host name", "links", "v3 serial", "cus olet", "encrypt cne8", "validity", "key algorithm", "ec oid", "value a", "please", "javascript", "ascii", "json", "openpgp secret", "extra info", "spawns", "layer protocol", "attack network", "allocated pa", "date", "ripe", "alphen", "rijn", "urls", "suricata ids", "smtp", "poland", "france", "germany", "canada", "japan", "slovakia", "toggle", "msie", "post", "wpaddetectedurl", "settingswpad", "wpaddhcp", "wpaddns", "dynamicloader", "static analysis", "first", "path", "enterprise", "service", "close", "zenbox android", "info", "pdf document", "adobe portable", "document format", "sha1", "bootkit", "loads" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/e1b97b7f87063caf2e7a8ae6c7ec834006eb3a3753f185415adbd3ab4d063662_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402037&Signature=YNxp5VCG9MJMmG%2F9SM0xFj86aE%2BDn4d%2BloEbjzGdWh57oS%2BoKZQuQ4QX6wuKgoTNgbG%2FJXPBfOce4rMNJK2biVU0MQNsEcn6Rvez7%2BPKxBDgTVfW5ZqYvEIC4%2BPIP5R7Wz5S9lD88AhsPMpRD5uNmWf8UCUEtZbDvU7gCQ55%2F9YjNz4oKzn%2B2zIIaq1ZfP2RPOZAJmU%2FryFIfChNBecPcHBhrVolEMxMMG9aDrJTiyT4dyIQ4M", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402076&Signature=CoPEm0rKM9zwB6jfYndZxnY5%2BHhs4eKx7qJL%2BE5nSaoEFD3ERDi7iaNDKE1KQxnCcmgEph04lJ80Ske0vRMKuUyMKplSXMUL%2BMze5w54QIipWo%2BIpHNq5nBajpvcTxzX9cvn4XFMEfOqwDud1H6YsOFGMotCi0%2Fqhuoq5GfohsdoBJtIDdIpnPyhaH%2BxNkWtB0pKkulsN1pBugmA8C9tjFan9P%2F%2BH3gzFI84nd8t6BWD%2BoecalP%", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402098&Signature=xdj6GkorlDc6S8s%2FMjlB%2BNQyXwa%2F1fpMkkOwWytsu1U3NwFTxbNfgkNR4Exa7frC11A9IyqmxX3rDIHw%2FZkYR%2Ba2IC16wTto%2BuFOj1KtZVJjsGwgG5HsGoJy8xfiNvBfMKxGZk0wuBG%2B0VlG%2Bp1dDWariTtLVxuneQjQUwiSWFqStKrdJjFHrfhqdSxggVR7Kq31S%2Bw0fbveIvONeGSv%2FULwQAZ4V%2Be0wea94lxz", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402306&Signature=hf7TRgRfZ09UHHXoMh4kZC9nDUIFKmmOpbEGQL%2BRY%2BhxSyC%2F5C7YQCpHUlVYDnUyZ0YvtO5z2T%2FDZyUuzdmJGopuc8AzF%2FV8l2v3cboHR37ku0q9rSds5%2FuHStLQXakQki1S74aBixjHGRWwNse3XqlIxOXzaD2bMaMuLtxp2DJjycVxWnTWgG6IkLKxn17cY9GrfaVqdbkUOsPiPHhzJv4KD5Gu1wPjbRqkgfFIBCOOShM1M%2F%2F7Vz", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402360&Signature=QdukcaW5xWJAXHy7L5Wlrhp7Fbl5B7ruGInmUghMlbYS%2B58VlmR8pKCqWOru3Ayq%2BnCHEi7svEzUEZPH%2BTxVPOIz4QtVCb1%2FyyJBXuYJNrhX%2FljFo%2Bj%2Ftqgb%2F7PgRCo3UBr7cGbLq1%2FEzSBiwApZqUhcDGTIw9uFhxd1XZLcODEu%2BBWIQW1Bcaq6al%2BMVclyuNjGF08msv99Y5%2FsufmOaXETQ561NMUtg7Kf4Y", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402433&Signature=fzgApvZFpRqQQR%2FqOj4lIRpve9d%2FyvYl04itAdLoyMKXstzu2CT3KiOmR0Zp4euPLDwcqskfB1E8tMlbjB8jhJK8zxF0gmN1NZoL8H7rNi21bXimGf7obVucirIj63DjHLKtV6QVELZnTvfmviaEHkX2CDHVqArFgOaezhS7msZ273wDaQSWcJHNpo2%2F14v1YenlTvV2ynBHRfDaYamM0MsLpdmz%2BrfI5K2P%2BzE8SZyW%2FzGrfF", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402546&Signature=QcJ3mvV%2FEBhcZxMeAJUxKHP%2BPI28f7pnarMn9PpZrvsxLKxpRmkwXjvTZ7Om3GJ72ykfji6gfNpRgDYK2M5Ft44D72%2B3kjMqJuRZmObcTY47nG2d7OuUbNBYufoqyoBiIA5fdiiOVARm%2FULdQ4xMo6P5wUBttgRiwF6qTcnefajnbn8ULwKmwsG%2FkP6CjI4ZsID7VI9Qq%2Bo08eFIH15kLUfrA%2B9XRExHTGoheVAld%2BIBpqgAn%2FgV", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402679&Signature=tYgx%2Btx9Wo5u4OONyhm8h8HlC8ikfb1WagGKhy3grrUW6vFIL998hEF8Wpe7avm3ErO3WihRVaUQOsrOV%2Beag%2BqPh35di%2FAuTjcO96quMa54BzzpUbwLqc8Q3OSyFORzvewpEF2nYlGg865A1Vy5go4hxDKI709M1sYpKoV5FGB7ed%2Fa9z0beRBh0XlEIyPluTNf08ZGoATIA7rEsDrFHAWS%2BK72cMBe4e5LrJepBNWw0c4%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1c515f592472daa56b5dfb73f1cfb421177bccda1475a9f28ce329c97e17ee5a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402736&Signature=cMwy0s44mI2KEExAz3Mv0ahtxdPxHk2QnEYZMoIzkeHz6hkMLCxpY5PdTkUOhnhOccVmLlmhn5Wx87K7G5%2FSeOFVRnv9ov6fxkKV4KYqKR%2Bq6hBQ7yju1HSFlRUwnDt32CJlcx9ULx60AfFkXOjbc21UWy%2BUYe32SPTiCL5%2FTS8FrFsXNI8w6oIdKSaAoGo1cRrK1I3vAB%2BR93vbnHBYIDivvFAA3MYOYrQAUO8X3rHcUU", "https://vtbehaviour.commondatastorage.googleapis.com/25d9183d8c0958f0ddde370d964d9729aa40c9faef270c4a9bc4301a07a8ed37_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403579&Signature=AdxQo3GHHARKwoNS8r33uGWFGkXoZ71d5KmoiPTM4yephbPsZTXn%2Fb%2Fobup7NTbAQcceFe6Rx%2Bx8n9O7KKQoInOEewOENKdE7pnMJddLDxmAMPXDDYV%2Fhm5MkJLRljcyhU6lcX2ESSeND4A5g0qI5MY1QBoAFwJhRpC%2FSzDOxuZ8tdvV3SaOSXEj7XhJjNhnyrB4g3z2nyfkMo0xa8iigqKnzgq%2F%2B7tOpwvy6uB1S2", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403775&Signature=jSzPctxlS%2F0o4jpadvN%2BG4XQ69muJMHwIQZNulWuy1D5cGeaZqaL6bj2dP2Keh43XTfPBvmpE0l%2B%2FK%2BHsi%2FLbUvfQJB0Ow%2FoH9zplQpYc%2FQs7rxg7IPb%2BZA0uWqA2bccRt1JYYyXi%2BUvK5CsfeXr8DeAo3W6wHLwqwQfirNfrhBeO48dDsEJyUcFRn8NqorGiudjV8PBV1VK9rS%2BogLTZ7Wj1wMnBipbOgm6lOYX", "https://www.virustotal.com/gui/search?query=entity%3Adomain%20txt%3A%22v%3Dspf1%20include%3A_spf.tierra.net%20%7Eall%22", "https://vtbehaviour.commondatastorage.googleapis.com/e4aa1bc4332b59e6b635189e3225cc8544fb73582755d33ad1cee10e02be92a6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404284&Signature=C8BgIjJ%2F31gsdkd94Wt%2B1LRHHkBHaDW7PqntQXRecjr%2Fa9idW6XwshKibZ00x%2B4s8pPhOifu5RP50H8NLe%2F4V3SIdajS3dQvkDP9UqmOJlOWBrC0r69zoaEGGEfkfQi1CEba4wvXfPM8y74L7ITDe3Yj6QCMLOnrTMRADc1e29KAc1aC5sKI%2Ba6tQWSaawZpoFXY8LPcZqFLtue1nh1Em7PyJXxcPqFIois%2Btfi7XdSXSGoMISk9F%2B", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404411&Signature=dDeNHkYz7S95CZY9qSQzDB9AfgnyHXFGIReDdaHaDiB5ZXNnbtM%2F410nKqbHWHWJ8Q8bbbEfQoAPf%2FecFgT6tD%2FDSosX0UvAii02cMO6IULYvtc3OppP9pf%2F2lRoJVo%2F%2FXUZ4%2FeW7%2F7LuofcP%2FEFFhmyJ%2BqaNSvA4vyaLkN04qrLrEeK6fgwrinWDCD9DJYx%2B6TbUZL%2Bdh1bd59v8P%2BN52%2FGgoeZd6m6I4%2FHErxr", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404482&Signature=pzkjsdl%2FSRdVnXtKm74mqbETIgdy70CIbXyiOiFOEF0jkgthIekpKrvOpI2fDHbD5SfhqlkdAGCojl7fw86XmmyeItDqqiAG9dm%2FNUjZEwCKOgEtOEbtbqZq7XNJtBASf1%2BD8aCxIOuhSWuXfh8wLD5urtXfwjLRwIlElQblSTCgiI1CRaM5yXCzXkLMFCKc2cAlYl7qcxAcv5apZcyxWxszijCP3FHGduK7BA0PIoPX%2Fjs3bZs3Rto", "https://vtbehaviour.commondatastorage.googleapis.com/28371ee176b88da4266741c4e9f6786b41810ab8ab564aa5fb3de0c08d8f39b3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404622&Signature=X15DH2Rnn%2Fviy5Mx5jkaDvWzug5gYktkbXPA3dMrveSe0WEa3VYZtYI65kZU6q8MA50N76ZCKDY5M7HqhcLPRAsqUTGrvP231Dp1DVn0s0h7HPxFW4a%2BXdD96Xbx39ACwMYWVIZQC29BDFEhRj56BLif2KGyA20VlfKn0J8L0dbmnkgykOPnK70X5%2BRs0NQZ3olmkq%2BAMLwMkt3DcxhaEc6x78GH5eTgLoPKaBe2x8QvOYUrWxhy", "https://vtbehaviour.commondatastorage.googleapis.com/92130c8f1b6fc79dca5b103ac30bb118c92a9f877d6d5db67430b9dd40025d40_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405020&Signature=tTwKGyLIe8DNefa6LIf3AdycaRcbew94iXL6Zr%2BWMysNIuhtlIyEu4twuamne%2F5ijUNW0mo8fmhQ1VR8SsNpYxfE3Tk10WIfijvHyvcsfI6Yjj7syNsMDDbY5wRt22eShn0pJOnZ5gUbNPB74ucvYcq3DZCND9aJ%2FIq%2B71NVEcQHcCtZlsIcoutjIJh6mpzImo07ZZ5XcaiayiW4FpXkiaen%2BCn%2FaD1Yjb1%2FKFufmJ", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405119&Signature=zoh6wk%2BZ9Uohe5PZRAKPdhx9ruJ6BNx1cKG%2BFFPbD%2FQQJn3%2BgXv2%2F5JqX%2FT2zSw6LAkU%2FF%2Fzis%2FBUi2fyvifCnqG649sCld%2B1%2F%2BoJGdyAiGyaEp5aCn49BNYMeGLyi6gBjH1H%2FBldw7v2MAVOCEFX8A%2Bfx3T9j4Yay4lCVP2CRzUfPdJLNaJSvkU3wwfK%2FBJG9mDTyyuqQ%2B%2F0FPGRmvc4ZhYQHKh", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405312&Signature=aw4LTG90scEntjzrTn2oehQRQ2tyA8wKnsPgZzPJrOGU40FyGhgYV1GthrkNFo94u%2Fl9EaczgTtRWvIfeZW9JFU3mPAgAjE9FRonw9R8C9f5tN3mcg0SJUwG8NRDlzMOEvN2MjaY%2FuWLiTbz7xXWj9DyUrPzKGhkqw%2FAcv0B%2FWjesEVgf44XWE4mm95o%2B4x%2F5ZxZ2zEhXNSmJ0qL66Xpsq6Vl7cjbIkPNYp1%2BDZCQ7qObBP4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 773, "URI": 5, "FileHash-MD5": 200, "FileHash-SHA1": 197, "IPv4": 304, "URL": 461, "domain": 319, "hostname": 315, "CIDR": 8, "email": 9, "Mutex": 1, "CVE": 62 }, "indicator_count": 2654, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0050a527cf92f4dfd0195b", "name": "*Dormant Destruction* VirusTotal report for index.html", "description": "This threat intelligence pulse tracks a long-dormant wiper, dating back to the early 2000s, which has persisted across multiple environments undetected. The malware features sophisticated, \"hidden\" destructive mechanisms capable of widespread data wiping. It appears to leverage administrative-level access, allowing it to move laterally and compromise systems extensively. Continued inaction regarding this infection chain poses a critical risk to data integrity. The ONLY way to fix this as it has taken over the root is by addressing the problem for what it actually is, the math and drops do not lie, deletion and new certs/exp certs will fail. The science is clear, the answer is foggy. Its best to see clearly.", "modified": "2026-05-12T06:40:00.258000", "created": "2026-05-10T09:32:21.717000", "tags": [ "mitre attack", "network info", "processes extra", "meta", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "system process", "sigma", "united", "federation", "file type", "yara", "creates", "pe32", "intel", "malicious", "persistence", "window", "default", "cname", "inprocserver32", "shell folders", "parent pid", "full path", "command line", "accept", "windows nt", "win64", "payload", "shutdown", "tofsee", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "win1", "acrongl integ", "adc4240758", "sha256", "back", "windows sandbox", "calls process", "kb body", "civicplus", "network admin", "net192", "net1920000", "icone2", "llc orgid", "houston", "suite e", "city", "ks postalcode", "orgtechhandle", "orgtechref", "houston address", "e city", "address range", "cidr", "network name", "type", "status", "whois server", "entity icone2", "handle", "algorithm", "key identifier", "x509v3 subject", "number", "issuer", "cus cnrapidssl", "rsa ca", "odigicert inc", "subject public", "key info", "thumbprint", "entity", "rdap database", "iana registrar", "host name", "links", "v3 serial", "cus olet", "encrypt cne8", "validity", "key algorithm", "ec oid", "value a", "please", "javascript", "ascii", "json", "openpgp secret", "extra info", "spawns", "layer protocol", "attack network", "allocated pa", "date", "ripe", "alphen", "rijn", "urls", "suricata ids", "smtp", "poland", "france", "germany", "canada", "japan", "slovakia", "toggle", "msie", "post", "wpaddetectedurl", "settingswpad", "wpaddhcp", "wpaddns", "dynamicloader", "static analysis", "first", "path", "enterprise", "service", "close", "zenbox android", "info", "pdf document", "adobe portable", "document format", "sha1", "bootkit", "loads" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/e1b97b7f87063caf2e7a8ae6c7ec834006eb3a3753f185415adbd3ab4d063662_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402037&Signature=YNxp5VCG9MJMmG%2F9SM0xFj86aE%2BDn4d%2BloEbjzGdWh57oS%2BoKZQuQ4QX6wuKgoTNgbG%2FJXPBfOce4rMNJK2biVU0MQNsEcn6Rvez7%2BPKxBDgTVfW5ZqYvEIC4%2BPIP5R7Wz5S9lD88AhsPMpRD5uNmWf8UCUEtZbDvU7gCQ55%2F9YjNz4oKzn%2B2zIIaq1ZfP2RPOZAJmU%2FryFIfChNBecPcHBhrVolEMxMMG9aDrJTiyT4dyIQ4M", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402076&Signature=CoPEm0rKM9zwB6jfYndZxnY5%2BHhs4eKx7qJL%2BE5nSaoEFD3ERDi7iaNDKE1KQxnCcmgEph04lJ80Ske0vRMKuUyMKplSXMUL%2BMze5w54QIipWo%2BIpHNq5nBajpvcTxzX9cvn4XFMEfOqwDud1H6YsOFGMotCi0%2Fqhuoq5GfohsdoBJtIDdIpnPyhaH%2BxNkWtB0pKkulsN1pBugmA8C9tjFan9P%2F%2BH3gzFI84nd8t6BWD%2BoecalP%", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402098&Signature=xdj6GkorlDc6S8s%2FMjlB%2BNQyXwa%2F1fpMkkOwWytsu1U3NwFTxbNfgkNR4Exa7frC11A9IyqmxX3rDIHw%2FZkYR%2Ba2IC16wTto%2BuFOj1KtZVJjsGwgG5HsGoJy8xfiNvBfMKxGZk0wuBG%2B0VlG%2Bp1dDWariTtLVxuneQjQUwiSWFqStKrdJjFHrfhqdSxggVR7Kq31S%2Bw0fbveIvONeGSv%2FULwQAZ4V%2Be0wea94lxz", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402306&Signature=hf7TRgRfZ09UHHXoMh4kZC9nDUIFKmmOpbEGQL%2BRY%2BhxSyC%2F5C7YQCpHUlVYDnUyZ0YvtO5z2T%2FDZyUuzdmJGopuc8AzF%2FV8l2v3cboHR37ku0q9rSds5%2FuHStLQXakQki1S74aBixjHGRWwNse3XqlIxOXzaD2bMaMuLtxp2DJjycVxWnTWgG6IkLKxn17cY9GrfaVqdbkUOsPiPHhzJv4KD5Gu1wPjbRqkgfFIBCOOShM1M%2F%2F7Vz", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402360&Signature=QdukcaW5xWJAXHy7L5Wlrhp7Fbl5B7ruGInmUghMlbYS%2B58VlmR8pKCqWOru3Ayq%2BnCHEi7svEzUEZPH%2BTxVPOIz4QtVCb1%2FyyJBXuYJNrhX%2FljFo%2Bj%2Ftqgb%2F7PgRCo3UBr7cGbLq1%2FEzSBiwApZqUhcDGTIw9uFhxd1XZLcODEu%2BBWIQW1Bcaq6al%2BMVclyuNjGF08msv99Y5%2FsufmOaXETQ561NMUtg7Kf4Y", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402433&Signature=fzgApvZFpRqQQR%2FqOj4lIRpve9d%2FyvYl04itAdLoyMKXstzu2CT3KiOmR0Zp4euPLDwcqskfB1E8tMlbjB8jhJK8zxF0gmN1NZoL8H7rNi21bXimGf7obVucirIj63DjHLKtV6QVELZnTvfmviaEHkX2CDHVqArFgOaezhS7msZ273wDaQSWcJHNpo2%2F14v1YenlTvV2ynBHRfDaYamM0MsLpdmz%2BrfI5K2P%2BzE8SZyW%2FzGrfF", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402546&Signature=QcJ3mvV%2FEBhcZxMeAJUxKHP%2BPI28f7pnarMn9PpZrvsxLKxpRmkwXjvTZ7Om3GJ72ykfji6gfNpRgDYK2M5Ft44D72%2B3kjMqJuRZmObcTY47nG2d7OuUbNBYufoqyoBiIA5fdiiOVARm%2FULdQ4xMo6P5wUBttgRiwF6qTcnefajnbn8ULwKmwsG%2FkP6CjI4ZsID7VI9Qq%2Bo08eFIH15kLUfrA%2B9XRExHTGoheVAld%2BIBpqgAn%2FgV", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402679&Signature=tYgx%2Btx9Wo5u4OONyhm8h8HlC8ikfb1WagGKhy3grrUW6vFIL998hEF8Wpe7avm3ErO3WihRVaUQOsrOV%2Beag%2BqPh35di%2FAuTjcO96quMa54BzzpUbwLqc8Q3OSyFORzvewpEF2nYlGg865A1Vy5go4hxDKI709M1sYpKoV5FGB7ed%2Fa9z0beRBh0XlEIyPluTNf08ZGoATIA7rEsDrFHAWS%2BK72cMBe4e5LrJepBNWw0c4%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1c515f592472daa56b5dfb73f1cfb421177bccda1475a9f28ce329c97e17ee5a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402736&Signature=cMwy0s44mI2KEExAz3Mv0ahtxdPxHk2QnEYZMoIzkeHz6hkMLCxpY5PdTkUOhnhOccVmLlmhn5Wx87K7G5%2FSeOFVRnv9ov6fxkKV4KYqKR%2Bq6hBQ7yju1HSFlRUwnDt32CJlcx9ULx60AfFkXOjbc21UWy%2BUYe32SPTiCL5%2FTS8FrFsXNI8w6oIdKSaAoGo1cRrK1I3vAB%2BR93vbnHBYIDivvFAA3MYOYrQAUO8X3rHcUU", "https://vtbehaviour.commondatastorage.googleapis.com/25d9183d8c0958f0ddde370d964d9729aa40c9faef270c4a9bc4301a07a8ed37_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403579&Signature=AdxQo3GHHARKwoNS8r33uGWFGkXoZ71d5KmoiPTM4yephbPsZTXn%2Fb%2Fobup7NTbAQcceFe6Rx%2Bx8n9O7KKQoInOEewOENKdE7pnMJddLDxmAMPXDDYV%2Fhm5MkJLRljcyhU6lcX2ESSeND4A5g0qI5MY1QBoAFwJhRpC%2FSzDOxuZ8tdvV3SaOSXEj7XhJjNhnyrB4g3z2nyfkMo0xa8iigqKnzgq%2F%2B7tOpwvy6uB1S2", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403775&Signature=jSzPctxlS%2F0o4jpadvN%2BG4XQ69muJMHwIQZNulWuy1D5cGeaZqaL6bj2dP2Keh43XTfPBvmpE0l%2B%2FK%2BHsi%2FLbUvfQJB0Ow%2FoH9zplQpYc%2FQs7rxg7IPb%2BZA0uWqA2bccRt1JYYyXi%2BUvK5CsfeXr8DeAo3W6wHLwqwQfirNfrhBeO48dDsEJyUcFRn8NqorGiudjV8PBV1VK9rS%2BogLTZ7Wj1wMnBipbOgm6lOYX", "https://www.virustotal.com/gui/search?query=entity%3Adomain%20txt%3A%22v%3Dspf1%20include%3A_spf.tierra.net%20%7Eall%22", "https://vtbehaviour.commondatastorage.googleapis.com/e4aa1bc4332b59e6b635189e3225cc8544fb73582755d33ad1cee10e02be92a6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404284&Signature=C8BgIjJ%2F31gsdkd94Wt%2B1LRHHkBHaDW7PqntQXRecjr%2Fa9idW6XwshKibZ00x%2B4s8pPhOifu5RP50H8NLe%2F4V3SIdajS3dQvkDP9UqmOJlOWBrC0r69zoaEGGEfkfQi1CEba4wvXfPM8y74L7ITDe3Yj6QCMLOnrTMRADc1e29KAc1aC5sKI%2Ba6tQWSaawZpoFXY8LPcZqFLtue1nh1Em7PyJXxcPqFIois%2Btfi7XdSXSGoMISk9F%2B", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404411&Signature=dDeNHkYz7S95CZY9qSQzDB9AfgnyHXFGIReDdaHaDiB5ZXNnbtM%2F410nKqbHWHWJ8Q8bbbEfQoAPf%2FecFgT6tD%2FDSosX0UvAii02cMO6IULYvtc3OppP9pf%2F2lRoJVo%2F%2FXUZ4%2FeW7%2F7LuofcP%2FEFFhmyJ%2BqaNSvA4vyaLkN04qrLrEeK6fgwrinWDCD9DJYx%2B6TbUZL%2Bdh1bd59v8P%2BN52%2FGgoeZd6m6I4%2FHErxr", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404482&Signature=pzkjsdl%2FSRdVnXtKm74mqbETIgdy70CIbXyiOiFOEF0jkgthIekpKrvOpI2fDHbD5SfhqlkdAGCojl7fw86XmmyeItDqqiAG9dm%2FNUjZEwCKOgEtOEbtbqZq7XNJtBASf1%2BD8aCxIOuhSWuXfh8wLD5urtXfwjLRwIlElQblSTCgiI1CRaM5yXCzXkLMFCKc2cAlYl7qcxAcv5apZcyxWxszijCP3FHGduK7BA0PIoPX%2Fjs3bZs3Rto", "https://vtbehaviour.commondatastorage.googleapis.com/28371ee176b88da4266741c4e9f6786b41810ab8ab564aa5fb3de0c08d8f39b3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404622&Signature=X15DH2Rnn%2Fviy5Mx5jkaDvWzug5gYktkbXPA3dMrveSe0WEa3VYZtYI65kZU6q8MA50N76ZCKDY5M7HqhcLPRAsqUTGrvP231Dp1DVn0s0h7HPxFW4a%2BXdD96Xbx39ACwMYWVIZQC29BDFEhRj56BLif2KGyA20VlfKn0J8L0dbmnkgykOPnK70X5%2BRs0NQZ3olmkq%2BAMLwMkt3DcxhaEc6x78GH5eTgLoPKaBe2x8QvOYUrWxhy", "https://vtbehaviour.commondatastorage.googleapis.com/92130c8f1b6fc79dca5b103ac30bb118c92a9f877d6d5db67430b9dd40025d40_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405020&Signature=tTwKGyLIe8DNefa6LIf3AdycaRcbew94iXL6Zr%2BWMysNIuhtlIyEu4twuamne%2F5ijUNW0mo8fmhQ1VR8SsNpYxfE3Tk10WIfijvHyvcsfI6Yjj7syNsMDDbY5wRt22eShn0pJOnZ5gUbNPB74ucvYcq3DZCND9aJ%2FIq%2B71NVEcQHcCtZlsIcoutjIJh6mpzImo07ZZ5XcaiayiW4FpXkiaen%2BCn%2FaD1Yjb1%2FKFufmJ", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405119&Signature=zoh6wk%2BZ9Uohe5PZRAKPdhx9ruJ6BNx1cKG%2BFFPbD%2FQQJn3%2BgXv2%2F5JqX%2FT2zSw6LAkU%2FF%2Fzis%2FBUi2fyvifCnqG649sCld%2B1%2F%2BoJGdyAiGyaEp5aCn49BNYMeGLyi6gBjH1H%2FBldw7v2MAVOCEFX8A%2Bfx3T9j4Yay4lCVP2CRzUfPdJLNaJSvkU3wwfK%2FBJG9mDTyyuqQ%2B%2F0FPGRmvc4ZhYQHKh", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405312&Signature=aw4LTG90scEntjzrTn2oehQRQ2tyA8wKnsPgZzPJrOGU40FyGhgYV1GthrkNFo94u%2Fl9EaczgTtRWvIfeZW9JFU3mPAgAjE9FRonw9R8C9f5tN3mcg0SJUwG8NRDlzMOEvN2MjaY%2FuWLiTbz7xXWj9DyUrPzKGhkqw%2FAcv0B%2FWjesEVgf44XWE4mm95o%2B4x%2F5ZxZ2zEhXNSmJ0qL66Xpsq6Vl7cjbIkPNYp1%2BDZCQ7qObBP4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 666, "URI": 3, "FileHash-MD5": 121, "FileHash-SHA1": 131, "IPv4": 286, "URL": 346, "domain": 286, "hostname": 274, "CIDR": 2, "email": 2 }, "indicator_count": 2117, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0050a78094bfae20c7f947", "name": "*Dormant Destruction* VirusTotal report for index.html", "description": "This threat intelligence pulse tracks a long-dormant wiper, dating back to the early 2000s, which has persisted across multiple environments undetected. The malware features sophisticated, \"hidden\" destructive mechanisms capable of widespread data wiping. It appears to leverage administrative-level access, allowing it to move laterally and compromise systems extensively. Continued inaction regarding this infection chain poses a critical risk to data integrity. The ONLY way to fix this as it has taken over the root is by addressing the problem for what it actually is, the math and drops do not lie, deletion and new certs/exp certs will fail. The science is clear, the answer is foggy. Its best to see clearly.", "modified": "2026-05-12T06:39:59.516000", "created": "2026-05-10T09:32:23.727000", "tags": [ "mitre attack", "network info", "processes extra", "meta", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "system process", "sigma", "united", "federation", "file type", "yara", "creates", "pe32", "intel", "malicious", "persistence", "window", "default", "cname", "inprocserver32", "shell folders", "parent pid", "full path", "command line", "accept", "windows nt", "win64", "payload", "shutdown", "tofsee", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "win1", "acrongl integ", "adc4240758", "sha256", "back", "windows sandbox", "calls process", "kb body", "civicplus", "network admin", "net192", "net1920000", "icone2", "llc orgid", "houston", "suite e", "city", "ks postalcode", "orgtechhandle", "orgtechref", "houston address", "e city", "address range", "cidr", "network name", "type", "status", "whois server", "entity icone2", "handle", "algorithm", "key identifier", "x509v3 subject", "number", "issuer", "cus cnrapidssl", "rsa ca", "odigicert inc", "subject public", "key info", "thumbprint", "entity", "rdap database", "iana registrar", "host name", "links", "v3 serial", "cus olet", "encrypt cne8", "validity", "key algorithm", "ec oid", "value a", "please", "javascript", "ascii", "json", "openpgp secret", "extra info", "spawns", "layer protocol", "attack network", "allocated pa", "date", "ripe", "alphen", "rijn", "urls", "suricata ids", "smtp", "poland", "france", "germany", "canada", "japan", "slovakia", "toggle", "msie", "post", "wpaddetectedurl", "settingswpad", "wpaddhcp", "wpaddns", "dynamicloader", "static analysis", "first", "path", "enterprise", "service", "close", "zenbox android", "info", "pdf document", "adobe portable", "document format", "sha1", "bootkit", "loads" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/e1b97b7f87063caf2e7a8ae6c7ec834006eb3a3753f185415adbd3ab4d063662_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402037&Signature=YNxp5VCG9MJMmG%2F9SM0xFj86aE%2BDn4d%2BloEbjzGdWh57oS%2BoKZQuQ4QX6wuKgoTNgbG%2FJXPBfOce4rMNJK2biVU0MQNsEcn6Rvez7%2BPKxBDgTVfW5ZqYvEIC4%2BPIP5R7Wz5S9lD88AhsPMpRD5uNmWf8UCUEtZbDvU7gCQ55%2F9YjNz4oKzn%2B2zIIaq1ZfP2RPOZAJmU%2FryFIfChNBecPcHBhrVolEMxMMG9aDrJTiyT4dyIQ4M", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402076&Signature=CoPEm0rKM9zwB6jfYndZxnY5%2BHhs4eKx7qJL%2BE5nSaoEFD3ERDi7iaNDKE1KQxnCcmgEph04lJ80Ske0vRMKuUyMKplSXMUL%2BMze5w54QIipWo%2BIpHNq5nBajpvcTxzX9cvn4XFMEfOqwDud1H6YsOFGMotCi0%2Fqhuoq5GfohsdoBJtIDdIpnPyhaH%2BxNkWtB0pKkulsN1pBugmA8C9tjFan9P%2F%2BH3gzFI84nd8t6BWD%2BoecalP%", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402098&Signature=xdj6GkorlDc6S8s%2FMjlB%2BNQyXwa%2F1fpMkkOwWytsu1U3NwFTxbNfgkNR4Exa7frC11A9IyqmxX3rDIHw%2FZkYR%2Ba2IC16wTto%2BuFOj1KtZVJjsGwgG5HsGoJy8xfiNvBfMKxGZk0wuBG%2B0VlG%2Bp1dDWariTtLVxuneQjQUwiSWFqStKrdJjFHrfhqdSxggVR7Kq31S%2Bw0fbveIvONeGSv%2FULwQAZ4V%2Be0wea94lxz", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402306&Signature=hf7TRgRfZ09UHHXoMh4kZC9nDUIFKmmOpbEGQL%2BRY%2BhxSyC%2F5C7YQCpHUlVYDnUyZ0YvtO5z2T%2FDZyUuzdmJGopuc8AzF%2FV8l2v3cboHR37ku0q9rSds5%2FuHStLQXakQki1S74aBixjHGRWwNse3XqlIxOXzaD2bMaMuLtxp2DJjycVxWnTWgG6IkLKxn17cY9GrfaVqdbkUOsPiPHhzJv4KD5Gu1wPjbRqkgfFIBCOOShM1M%2F%2F7Vz", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402360&Signature=QdukcaW5xWJAXHy7L5Wlrhp7Fbl5B7ruGInmUghMlbYS%2B58VlmR8pKCqWOru3Ayq%2BnCHEi7svEzUEZPH%2BTxVPOIz4QtVCb1%2FyyJBXuYJNrhX%2FljFo%2Bj%2Ftqgb%2F7PgRCo3UBr7cGbLq1%2FEzSBiwApZqUhcDGTIw9uFhxd1XZLcODEu%2BBWIQW1Bcaq6al%2BMVclyuNjGF08msv99Y5%2FsufmOaXETQ561NMUtg7Kf4Y", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402433&Signature=fzgApvZFpRqQQR%2FqOj4lIRpve9d%2FyvYl04itAdLoyMKXstzu2CT3KiOmR0Zp4euPLDwcqskfB1E8tMlbjB8jhJK8zxF0gmN1NZoL8H7rNi21bXimGf7obVucirIj63DjHLKtV6QVELZnTvfmviaEHkX2CDHVqArFgOaezhS7msZ273wDaQSWcJHNpo2%2F14v1YenlTvV2ynBHRfDaYamM0MsLpdmz%2BrfI5K2P%2BzE8SZyW%2FzGrfF", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402546&Signature=QcJ3mvV%2FEBhcZxMeAJUxKHP%2BPI28f7pnarMn9PpZrvsxLKxpRmkwXjvTZ7Om3GJ72ykfji6gfNpRgDYK2M5Ft44D72%2B3kjMqJuRZmObcTY47nG2d7OuUbNBYufoqyoBiIA5fdiiOVARm%2FULdQ4xMo6P5wUBttgRiwF6qTcnefajnbn8ULwKmwsG%2FkP6CjI4ZsID7VI9Qq%2Bo08eFIH15kLUfrA%2B9XRExHTGoheVAld%2BIBpqgAn%2FgV", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402679&Signature=tYgx%2Btx9Wo5u4OONyhm8h8HlC8ikfb1WagGKhy3grrUW6vFIL998hEF8Wpe7avm3ErO3WihRVaUQOsrOV%2Beag%2BqPh35di%2FAuTjcO96quMa54BzzpUbwLqc8Q3OSyFORzvewpEF2nYlGg865A1Vy5go4hxDKI709M1sYpKoV5FGB7ed%2Fa9z0beRBh0XlEIyPluTNf08ZGoATIA7rEsDrFHAWS%2BK72cMBe4e5LrJepBNWw0c4%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1c515f592472daa56b5dfb73f1cfb421177bccda1475a9f28ce329c97e17ee5a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402736&Signature=cMwy0s44mI2KEExAz3Mv0ahtxdPxHk2QnEYZMoIzkeHz6hkMLCxpY5PdTkUOhnhOccVmLlmhn5Wx87K7G5%2FSeOFVRnv9ov6fxkKV4KYqKR%2Bq6hBQ7yju1HSFlRUwnDt32CJlcx9ULx60AfFkXOjbc21UWy%2BUYe32SPTiCL5%2FTS8FrFsXNI8w6oIdKSaAoGo1cRrK1I3vAB%2BR93vbnHBYIDivvFAA3MYOYrQAUO8X3rHcUU", "https://vtbehaviour.commondatastorage.googleapis.com/25d9183d8c0958f0ddde370d964d9729aa40c9faef270c4a9bc4301a07a8ed37_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403579&Signature=AdxQo3GHHARKwoNS8r33uGWFGkXoZ71d5KmoiPTM4yephbPsZTXn%2Fb%2Fobup7NTbAQcceFe6Rx%2Bx8n9O7KKQoInOEewOENKdE7pnMJddLDxmAMPXDDYV%2Fhm5MkJLRljcyhU6lcX2ESSeND4A5g0qI5MY1QBoAFwJhRpC%2FSzDOxuZ8tdvV3SaOSXEj7XhJjNhnyrB4g3z2nyfkMo0xa8iigqKnzgq%2F%2B7tOpwvy6uB1S2", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403775&Signature=jSzPctxlS%2F0o4jpadvN%2BG4XQ69muJMHwIQZNulWuy1D5cGeaZqaL6bj2dP2Keh43XTfPBvmpE0l%2B%2FK%2BHsi%2FLbUvfQJB0Ow%2FoH9zplQpYc%2FQs7rxg7IPb%2BZA0uWqA2bccRt1JYYyXi%2BUvK5CsfeXr8DeAo3W6wHLwqwQfirNfrhBeO48dDsEJyUcFRn8NqorGiudjV8PBV1VK9rS%2BogLTZ7Wj1wMnBipbOgm6lOYX", "https://www.virustotal.com/gui/search?query=entity%3Adomain%20txt%3A%22v%3Dspf1%20include%3A_spf.tierra.net%20%7Eall%22", "https://vtbehaviour.commondatastorage.googleapis.com/e4aa1bc4332b59e6b635189e3225cc8544fb73582755d33ad1cee10e02be92a6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404284&Signature=C8BgIjJ%2F31gsdkd94Wt%2B1LRHHkBHaDW7PqntQXRecjr%2Fa9idW6XwshKibZ00x%2B4s8pPhOifu5RP50H8NLe%2F4V3SIdajS3dQvkDP9UqmOJlOWBrC0r69zoaEGGEfkfQi1CEba4wvXfPM8y74L7ITDe3Yj6QCMLOnrTMRADc1e29KAc1aC5sKI%2Ba6tQWSaawZpoFXY8LPcZqFLtue1nh1Em7PyJXxcPqFIois%2Btfi7XdSXSGoMISk9F%2B", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404411&Signature=dDeNHkYz7S95CZY9qSQzDB9AfgnyHXFGIReDdaHaDiB5ZXNnbtM%2F410nKqbHWHWJ8Q8bbbEfQoAPf%2FecFgT6tD%2FDSosX0UvAii02cMO6IULYvtc3OppP9pf%2F2lRoJVo%2F%2FXUZ4%2FeW7%2F7LuofcP%2FEFFhmyJ%2BqaNSvA4vyaLkN04qrLrEeK6fgwrinWDCD9DJYx%2B6TbUZL%2Bdh1bd59v8P%2BN52%2FGgoeZd6m6I4%2FHErxr", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404482&Signature=pzkjsdl%2FSRdVnXtKm74mqbETIgdy70CIbXyiOiFOEF0jkgthIekpKrvOpI2fDHbD5SfhqlkdAGCojl7fw86XmmyeItDqqiAG9dm%2FNUjZEwCKOgEtOEbtbqZq7XNJtBASf1%2BD8aCxIOuhSWuXfh8wLD5urtXfwjLRwIlElQblSTCgiI1CRaM5yXCzXkLMFCKc2cAlYl7qcxAcv5apZcyxWxszijCP3FHGduK7BA0PIoPX%2Fjs3bZs3Rto", "https://vtbehaviour.commondatastorage.googleapis.com/28371ee176b88da4266741c4e9f6786b41810ab8ab564aa5fb3de0c08d8f39b3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404622&Signature=X15DH2Rnn%2Fviy5Mx5jkaDvWzug5gYktkbXPA3dMrveSe0WEa3VYZtYI65kZU6q8MA50N76ZCKDY5M7HqhcLPRAsqUTGrvP231Dp1DVn0s0h7HPxFW4a%2BXdD96Xbx39ACwMYWVIZQC29BDFEhRj56BLif2KGyA20VlfKn0J8L0dbmnkgykOPnK70X5%2BRs0NQZ3olmkq%2BAMLwMkt3DcxhaEc6x78GH5eTgLoPKaBe2x8QvOYUrWxhy", "https://vtbehaviour.commondatastorage.googleapis.com/92130c8f1b6fc79dca5b103ac30bb118c92a9f877d6d5db67430b9dd40025d40_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405020&Signature=tTwKGyLIe8DNefa6LIf3AdycaRcbew94iXL6Zr%2BWMysNIuhtlIyEu4twuamne%2F5ijUNW0mo8fmhQ1VR8SsNpYxfE3Tk10WIfijvHyvcsfI6Yjj7syNsMDDbY5wRt22eShn0pJOnZ5gUbNPB74ucvYcq3DZCND9aJ%2FIq%2B71NVEcQHcCtZlsIcoutjIJh6mpzImo07ZZ5XcaiayiW4FpXkiaen%2BCn%2FaD1Yjb1%2FKFufmJ", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405119&Signature=zoh6wk%2BZ9Uohe5PZRAKPdhx9ruJ6BNx1cKG%2BFFPbD%2FQQJn3%2BgXv2%2F5JqX%2FT2zSw6LAkU%2FF%2Fzis%2FBUi2fyvifCnqG649sCld%2B1%2F%2BoJGdyAiGyaEp5aCn49BNYMeGLyi6gBjH1H%2FBldw7v2MAVOCEFX8A%2Bfx3T9j4Yay4lCVP2CRzUfPdJLNaJSvkU3wwfK%2FBJG9mDTyyuqQ%2B%2F0FPGRmvc4ZhYQHKh", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405312&Signature=aw4LTG90scEntjzrTn2oehQRQ2tyA8wKnsPgZzPJrOGU40FyGhgYV1GthrkNFo94u%2Fl9EaczgTtRWvIfeZW9JFU3mPAgAjE9FRonw9R8C9f5tN3mcg0SJUwG8NRDlzMOEvN2MjaY%2FuWLiTbz7xXWj9DyUrPzKGhkqw%2FAcv0B%2FWjesEVgf44XWE4mm95o%2B4x%2F5ZxZ2zEhXNSmJ0qL66Xpsq6Vl7cjbIkPNYp1%2BDZCQ7qObBP4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 666, "URI": 3, "FileHash-MD5": 121, "FileHash-SHA1": 137, "IPv4": 293, "URL": 350, "domain": 296, "hostname": 289, "CIDR": 2, "email": 2, "CVE": 4 }, "indicator_count": 2163, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437889&Signature=kOQWTYWZEnXg6x3z7n1h%2BZxGkgstZeT94Va6iNASpQTWtCaM1UzUpKuQfGgpopGCyTOEK%2F7OD4pGKGjQDwX29jg3%2BWWCnmzl2Mzx9F4yN1rq4t4SzOITafJ%2ByjOuVbRn5K%2BAZoVXDIZIUCsUMxgTHhqST3vBcQ503uW6lfzxUcdHHauNqTsPUzjiSG6JrJRGSJW%2BzxrctN1HmMSRzpHcu7CHCOeQuIhHiX7ibuCHhA3JzarYcCaHYe%2B8", "The Russian Doll Tactic: The top-level 38MB SHA is just the Delivery Shell. Inside that, the malware carries encrypted blobs that have their own unique SHA-256 signatures. These are the actual Wiper, SpyNote, and C2 configuration modules.", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "I copied IoC\u2019s & from a pulse by AlienVault. I added related , resourced information I found interesting", "https://vtbehaviour.commondatastorage.googleapis.com/e1b97b7f87063caf2e7a8ae6c7ec834006eb3a3753f185415adbd3ab4d063662_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402037&Signature=YNxp5VCG9MJMmG%2F9SM0xFj86aE%2BDn4d%2BloEbjzGdWh57oS%2BoKZQuQ4QX6wuKgoTNgbG%2FJXPBfOce4rMNJK2biVU0MQNsEcn6Rvez7%2BPKxBDgTVfW5ZqYvEIC4%2BPIP5R7Wz5S9lD88AhsPMpRD5uNmWf8UCUEtZbDvU7gCQ55%2F9YjNz4oKzn%2B2zIIaq1ZfP2RPOZAJmU%2FryFIfChNBecPcHBhrVolEMxMMG9aDrJTiyT4dyIQ4M", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439406&Signature=Yyt5VdwIWVXZPSrz2llE%2Fkbs8LRRL%2FYacK8lMJDwqz1wnQB9NTQ5QEbHs%2B45GJHAJP3KN1mSh2WU7JPp%2BmDqFZFoauenLoF11M2RaKMwIDojWNE%2Fwb%2BSo6gvaguoU25WEGapdxQpMpn7ojI4%2FW3dmzzX7F9qYQmhmbC9ipqyKXDZHQuAUJaa074tvOcIBvP974a3DKMGUmWO1KyDP73MEZpyuKfxhVFdco02FkPG7mvGCJnXuw3KbSvC", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/00000d3cb583c86b8fd89bcd270cf1a9c1974f23518caf52a9d55ba482afc255_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777198022&Signature=X%2FtJADqZ8hUIDWnAnxXSy836h8XaVn9hIB%2FoJc%2BMiH70BQaiUPucRhxoQpLz8ff%2BU7i4DwbrecytnCCLiVA1QuLWxTYL9hBhT8xX%2F3h564r8jpG8kTHcyZTD%2F1w9THtZhgtgccYteH8vuC1RaaNpHpj8RESbs6TdENGlhzHELvXxYplQuBznpKau1ZeLiNJFngKuEOT%2FkcHjzOM%2B%2BUZzAovTwc6PDZOk4C4qBT7YdZ", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531163&Signature=ymkpXNrWILdVetVt90LhjbwNPIy4I%2FXM%2B0jq5xPK4FE6N61CBJ0ZKsP%2FbvZXOM5lKJdG6ltKQtldTuXskK26NlEwbRlzn90t1KGmXS6%2FkK7pgbFTNlA9BWYrDLciKwIZJJeFn46IMGSClXk0BXzcveuQWp4G%2BnIJwwWw0EjgU6ONUydOZW4DhKFhmEvNGfqPrEd6apNA3C39kZP%2Bql4tWV7ma8oAP9cHc7RyoO%2Fw4zbcJKmP", "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu", "Matches rule Use Short Name Path in Image by frack113, Nasreddine Bencherchali - Sigma rule cannot be loaded.", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE", "YARA DESCRIPTION: Detects encoded keyword - GetCurrentThreadId RULE_AUTHOR: Florian Roth", "YARA RULE_TYPE: THOR APT Scanner's rule set only RULE_AUTHOR: Florian Roth", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402360&Signature=QdukcaW5xWJAXHy7L5Wlrhp7Fbl5B7ruGInmUghMlbYS%2B58VlmR8pKCqWOru3Ayq%2BnCHEi7svEzUEZPH%2BTxVPOIz4QtVCb1%2FyyJBXuYJNrhX%2FljFo%2Bj%2Ftqgb%2F7PgRCo3UBr7cGbLq1%2FEzSBiwApZqUhcDGTIw9uFhxd1XZLcODEu%2BBWIQW1Bcaq6al%2BMVclyuNjGF08msv99Y5%2FsufmOaXETQ561NMUtg7Kf4Y", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR", "The 7 YARA detections identified in your analysis typically trigger on the 777-anchor hex-cluster found within the high-entropy overlay. This binary \"United\" the following trust boundaries:DigiCert (Windows): Forged overlay utilizing the broken MD5 a1d6...6e72", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "The Structural Loop: The .NET framework often relies on legacy certificate validation libraries that still accept the MD5 a1d6...6e72 chain as \"legacy-valid.\" When this document is opened on an Apple Silicon device, the WebKit/ARM64 engine inherits the \"Trusted\" status from the document\u2019s container, allowing the 64c/d anchor to execute a memory-injection without a fresh signature check.", "https://vtbehaviour.commondatastorage.googleapis.com/28371ee176b88da4266741c4e9f6786b41810ab8ab564aa5fb3de0c08d8f39b3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404622&Signature=X15DH2Rnn%2Fviy5Mx5jkaDvWzug5gYktkbXPA3dMrveSe0WEa3VYZtYI65kZU6q8MA50N76ZCKDY5M7HqhcLPRAsqUTGrvP231Dp1DVn0s0h7HPxFW4a%2BXdD96Xbx39ACwMYWVIZQC29BDFEhRj56BLif2KGyA20VlfKn0J8L0dbmnkgykOPnK70X5%2BRs0NQZ3olmkq%2BAMLwMkt3DcxhaEc6x78GH5eTgLoPKaBe2x8QvOYUrWxhy", "https://otx.alienvault.com/pulse/64c131d13447ec7826c8ac6f", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530508&Signature=GssLnauiY160oyi8Jf10sDf4bL46z5UIfcX%2F1jMAIWwy97%2Fw9GjbHzS38wt5ybxoiMkSIsTN%2BYE7Vd7kc7zHkudP8K6D2g6bTFX%2B%2Bao4FK6e0OYbJXqb%2BPeNSgeqrHMrCeXIW1H8RCC5QXuEjkQrE4TPFja5Gc790vYMvsT5oAuxbnFAzjQM%2BTwMcjJ1k9dWR0Hoh694C2boFVdHy3LxQkv7vk6CSmjQcZ4bBbHmEMC%2FNd", "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "Activity related to APT29 - according to source Cluster25 - This DOMAIN is used as a CnC by APT29", "bell.ca", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402076&Signature=CoPEm0rKM9zwB6jfYndZxnY5%2BHhs4eKx7qJL%2BE5nSaoEFD3ERDi7iaNDKE1KQxnCcmgEph04lJ80Ske0vRMKuUyMKplSXMUL%2BMze5w54QIipWo%2BIpHNq5nBajpvcTxzX9cvn4XFMEfOqwDud1H6YsOFGMotCi0%2Fqhuoq5GfohsdoBJtIDdIpnPyhaH%2BxNkWtB0pKkulsN1pBugmA8C9tjFan9P%2F%2BH3gzFI84nd8t6BWD%2BoecalP%", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "YARA RULE_SET: Livehunt - Suspicious82 Indicators RULE_AUTHOR: Florian Roth", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438900&Signature=GdSSawcnAzzWjiMJAEJMz7h0KpqPNqgwPzPkzv%2FPKo1IhjY2w4WE1ioTHKCJ7eMvq%2F0dzNI1JvYz47q%2FosHjl0ZOvE39XCHG5BsiO6AoXnUe9D1sIksXC19D%2FvOQZLtOQ8uMwJ7oehwmB9VfuwQCEqwu22ClFUwOXSvDI%2FBRa2m8ingT7tEflhqF2okL36dFvtY8GKspHKfRv4ayCedzCEp70TXYBwOOFSkNdMr8ddnW5YBSkzp5", "YARA RULE: SUSP_Encoded_GetCurrentThreadId RULE_AUTHOR: Florian Roth", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530784&Signature=CYyyJeKkeGqnH6T6m5Xruegrlkv2udvHSUC4MgjgnkaJP2%2BkZUvTfdoh5S5uXQZbk0By%2Bg1akNr3AALQqY%2B0SNoOJdW5fHCOavOpIuNkgM4efnxQQyuhR%2F6eccAejXvy0cFPKDUhdhvbItcx7lkgLwM3MhWL%2FzNneeST7yUf3g8Pad72u7BrItBCkJ23R2quBuKT3G22OMfreYhprgO398iL0htbNTBKh4csLc9QtPI%2FabWco3", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://www.virustotal.com/gui/search?query=entity%3Adomain%20txt%3A%22v%3Dspf1%20include%3A_spf.tierra.net%20%7Eall%22", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438798&Signature=pANruTzJyu09Hzf4DTv20LDHBbtyRDfVqdUDXcUHU5t%2Fo4ZASzGodrrrh0fSnpxRID7l8PUYQBpatP0X3BS%2BDZyUILHdoxM41n4EbpJ%2B53f5rTs3mKuxEjWVK5Qqv%2BETgwTMnpZ8nScsLJfzlqHy%2B0U7pGcwf58Ddn5NAxMvveGCxrjpeP1nPaMKQMqKtlgIaoZKaRUTWeQus8tECh70NEy%2FBGwoljYsR%2FbGJ5YyrB1jlrAY", "https://vtbehaviour.commondatastorage.googleapis.com/af586c4273d941f49291bd82b3363e97ec68755793a06e6982d8e5291e461f28_VirusTotal%20Cuckoofork.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776608137&Signature=UiEXl5dFUjdbtSBJ5oDC2ewFK3bwZVFMU4c58Oj69fhp7qdwfqPbxDkJ%2Fip5zs3usTaZu8qrwgjJ3EgqO87YfEBtsV%2FCUTRvtFeHfzrOTkbE1WkOuasRAa92snPaPCt9Kk3y5q3jRMDlVA9g2rpZOsCub%2BYzl0%2FfdG8m%2FFed4xqdb2hu9ANjORr6MflPpQO8ThcwsbuThAuY4d28geQGVt86xzc00GELx6tbWViWiFA", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "Technical Indicators & Forgery MixSHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0MD5: a95e0f8611e4169be89ef384c8a7a71aCompilation: 2018-08-08 (The \"Static Layer\" 2020 foundation).The 777 Anchor: The 777 entropy pattern in the unmapped overlay (Size: 38,351 KB) forces the \"messy\" alignment between DigiCert, Apple ARM (64c/d), and Google 202 identities.Structural Bypass: Exploits the broken/abused MD5 a1d6...6e72 chain as a \"Frank Abagnale\" signature overlay to bypass Zero-Trust EDR.", "Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered - according to source ArcSight Threat Intelligence - 2 years ago CCleaner", "https://vtbehaviour.commondatastorage.googleapis.com/07e1e7ad5d00405ee7c5fed83b4d9e3a512d9e872d8670cb86fd701f3b8b6259_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438246&Signature=ZGz53K8c67xrCiLmZJbODFjoXur2NU9sF9Xjc%2Ff81AQIH8dBUyDkBf7MQwIyCG7huDtUlwHzNWPb0VzcJksqTxIo%2BJPVvtYvIl8RV%2BckzCDGa3AWmKyyvYPZbn4h%2B8stgKiEu6RzeO9KCA2o91kJ8RAu6HhS6SSlddRteH%2BA3MOc17NU6cmUv0B06xlL9i%2FEgkhPukOAi3TFeOT3hK7Y3pW%2FCBP536Ae%2BaDIzY24ugSkQ%", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://vtbehaviour.commondatastorage.googleapis.com/7d441193d1f16f78d054c1fe662e533db705dad62d0121f02d000e9a6b5fe86b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438365&Signature=h7GZQeeOJNTBzxgmrZzfcTlZI6TwhUTTE1VEYyZfCBcBfVE3Jb8jMGpRJTIh2RjWBMEf1FRvCibTgA%2BKnZNrtxGDZe4CJvEqy02XWJbLarRkHqmn1sMQpskfa4sIPni%2FCkajAZUdYmEuTES7jYJsimQO%2FNtd1bIFSqBot7ecyvQT%2F9ax7KazcoIudKVimT0ihn%2BstThD1NxJalqWZoY2sO1jzCgkaOK9lZeCsAXDE1H3B3LD6yIg", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U", "https://vtbehaviour.commondatastorage.googleapis.com/23671e33d82282324fc51576616dbb92814adc4d17eb7014dc4e2f891ea7f4ae_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531342&Signature=MsuL%2B3SZcdwh8PtkojSZiAkej0M%2FX59YS9DllA%2BRLg6Z%2FV43R4XBkqKm%2BsQjDvTRdh%2BFRjO2rtuvYPHG%2By1RpurAOIjZEBs3F2ZYmv6mE62mgf4bDqgnUZS5myKTtlD%2BnuWRL7up%2B197%2F4VEXIqM8hxzhGDo7jmUeU0HERH%2FUnTThLnOjAWlGHNITZ7ffU0tKlYMKo%2BHqAkV9AerG5R%2FZdAh7nZidUf8wYpV", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404411&Signature=dDeNHkYz7S95CZY9qSQzDB9AfgnyHXFGIReDdaHaDiB5ZXNnbtM%2F410nKqbHWHWJ8Q8bbbEfQoAPf%2FecFgT6tD%2FDSosX0UvAii02cMO6IULYvtc3OppP9pf%2F2lRoJVo%2F%2FXUZ4%2FeW7%2F7LuofcP%2FEFFhmyJ%2BqaNSvA4vyaLkN04qrLrEeK6fgwrinWDCD9DJYx%2B6TbUZL%2Bdh1bd59v8P%2BN52%2FGgoeZd6m6I4%2FHErxr", "YARA RULE : SUSP_Decimal_Encoded_Executable_May21_1 RULE_AUTHOR: Florian Roth", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402098&Signature=xdj6GkorlDc6S8s%2FMjlB%2BNQyXwa%2F1fpMkkOwWytsu1U3NwFTxbNfgkNR4Exa7frC11A9IyqmxX3rDIHw%2FZkYR%2Ba2IC16wTto%2BuFOj1KtZVJjsGwgG5HsGoJy8xfiNvBfMKxGZk0wuBG%2B0VlG%2Bp1dDWariTtLVxuneQjQUwiSWFqStKrdJjFHrfhqdSxggVR7Kq31S%2Bw0fbveIvONeGSv%2FULwQAZ4V%2Be0wea94lxz", "The Wiper: Contains the high-confidence destructive module capable of a FACTORY_RESET anti-forensic purge.", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "Attackers nest these SHAs so that if a vendor blocks the \"Big One\" (the 38MB shell), the internal payloads can be re-packed into a new shell with a new top-level hash in minutes.", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/e068d8d9f9dae873ec78bd5a88df561893c18b1df6200a958a864c34d27e0a3d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530824&Signature=oRifg%2BGsx5SCY%2B4rLdvAqryqS3Xlu3DCrHZifO%2Bh9YOQAM4528P%2Bi6LzgYdE0hyDe8HlrfIhswkzkUOf8K4%2FzdoebqTYkwrHmPiJeW4cetq5F2qEeUU7RVbiXVUvLGYwThftr3BuB%2FtW3u%2Fl9v9AyS38ZTrk3B%2BjdQI5OqLikCMwV9lO%2B3lOB05pg6dpqHO3ycZUK2sMy5MgMqqyj%2FY2HLFVTv4wp4ea8PF%2Fswj4", "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "SIGMA Matches rule Use Short Name Path in Command Line by frack113, Nasreddine Bencherchali", "https://vtbehaviour.commondatastorage.googleapis.com/004a881e84a216c4bc74f3c80b65b93b0e92730e8650fcd540ddd9c05496821f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437688&Signature=gFtkoBqF5pShJtX6qkZtdovQkyQMLUYrFOjDP6NqgmFoOhYNKhh4DR%2BRduecXCaeSRa%2FFMLPwsZ1NNrjc%2Fg3iGJunOiw%2BNVCbqHgsCqgFukn94EvgBPpTB6B9jvTJkiWGF2dGk%2Bc%2FRUi11iqTV98lN1HTrKNfw0yL67LRmHYEPltNEYRvTe3krIx9Lc3e%2FgV5D2YEoCr%2BEB72AwqJDp3RZPJVsuY1pQBVpH%2FTq4FHpa%", "YARA Signature Match - THOR APT Scanner Get RULE_AUTHOR: Florian Roth", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530419&Signature=UGGjvrHysNTHqCP%2F98o%2Bwr%2BBuUURMkCiQxj24hY6gaY6O3Jzu8n5c1DTGQyxmFDLTNd%2BVEq%2BLjiAQEKKja33wGAeycq9H84UiQaOgy5xch0rQRhWlH9BAU1XQopkUIfjd%2F%2FjszJyY9f5GeBUviWGN0fk%2Fjf%2Bu70ZC8sViEooYie0vbqyBBZF4n4kjfdDoEDUXKU9hjk4W9PIBcH1Y8tyFonohbjbq7%2BZwzERUsYwo2", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/01b1f4159b48ac9d2145ca334ac5088cb79c8d4c03cf0688a87e55335349b331_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779437830&Signature=o1mMUhfVofwSs5xyuFNizd0ePwrbhenHNa%2FGv1rJB1qPc8iZP5wkSG7TAOksy%2Bbq%2BSYFTz%2BK5iCcc3PayR7eyLcifui7TFP%2BR6BRfA165PwBWOQoBUg5NFD9IRXuidu5YGzacnbqDVdrzIWuDRh1%2BN95ftOdtUVsknU6Vxrs%2FlpgDcCvuCw8yBT9TpzeqirdVKlJPVDo9DR35AroEk%2BnXJbeXiIRkTJ3eVKTGSz6CphpXF", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/000011b9276d67cb6c737226e1572ad5396d96a7ce2a6512c6c5774371332730_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777198160&Signature=ErZReZYXc0zl2849KmoGwJGof9NjsCg2iX3sqgLWs2FU4WBoLpZAVnFi6g7Z3BFda%2FDPKxZ7%2FHG%2BlEU2VB7ctD7pXcNfD%2F3nEPZC54sles9Cycinws6vWWfHnYmSpwKF4DtTjjbL%2F7bwIb%2FOrT%2BeKzVvt7gGL%2ByHJpWrAgr4UtNSHKVmHLIIgRH%2FfDOtlS410ed%2Bal8ukGl9ZSeDQjYg0A0KKxdNkAtcJPN4fLcl", "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered", "Credit: Resourced by AlienVault on July 26, 2023 at 8:48:39 \u2022 AlienVault |", "The Convergence: Threat actors are exploiting a critical logic gap where .NET/PDFKit document signing (Windows-side) intersects with WebKit/QuartzCore rendering (macOS/ARM-side). By nesting a broken MD5 overlay within a document designed to be parsed by WebKit, the attacker creates a cross-platform \"trust bridge.\"", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530360&Signature=IoNgUEkiuiM2X4a2ueL9rEQPSxM3pwV%2Fg9ppA8C%2BBjHNorpe2t8rUBwA%2BU0UhSwLHm3J9bx4il%2Buly8trboaDKTDgdTvpIFdsHRjkQYF%2F8P2ot8tg5AnQeLV9Q8ddUazck3uN2LTNyDFCh5HiWfU%2FJ4BytbiANmLC8gGyCjX%2FX5Y%2FkYYJwEtsw0W90i9lyhlbNX%2FbAor8c1%2FRyPwUh8klvuYGDxvlbeal0nSXVYLSy", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8", "https://vtbehaviour.commondatastorage.googleapis.com/25d9183d8c0958f0ddde370d964d9729aa40c9faef270c4a9bc4301a07a8ed37_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403579&Signature=AdxQo3GHHARKwoNS8r33uGWFGkXoZ71d5KmoiPTM4yephbPsZTXn%2Fb%2Fobup7NTbAQcceFe6Rx%2Bx8n9O7KKQoInOEewOENKdE7pnMJddLDxmAMPXDDYV%2Fhm5MkJLRljcyhU6lcX2ESSeND4A5g0qI5MY1QBoAFwJhRpC%2FSzDOxuZ8tdvV3SaOSXEj7XhJjNhnyrB4g3z2nyfkMo0xa8iigqKnzgq%2F%2B7tOpwvy6uB1S2", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY", "Rec: block for *.webcontent.com and binaries matching the B0/64c/d anchors or the 777 hex-cluster.", "https://vtbehaviour.commondatastorage.googleapis.com/45a190c2f2471d465eadce7b529473c1092e0b0fa4a8bd5066f2f0dadd021517_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777197660&Signature=ZeKi%2BRgUGuBZD7C84XN%2BMrK%2FhjGTkk9wZi%2B8oRGqD%2FMkt4j53TX2%2FNO2D5kv3PFADqhPUkUWatmRPNgFj3%2Fxgz2H%2B1MaxZeG4uZ7yDAjWSgY1bcI2k5Z4SWMDc8FAivGl7%2FYutQiu%2FIWCMxbxTnk4yJQiQtuOgqwVTZybq4ROhIA52sWpFV9sAHWnPeTZJIPWahZpZz3LH5ByhNbVb8fHKqxFmoQAswKLvlgjAcNSh", "Pending Review.", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "https://vtbehaviour.commondatastorage.googleapis.com/e4aa1bc4332b59e6b635189e3225cc8544fb73582755d33ad1cee10e02be92a6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404284&Signature=C8BgIjJ%2F31gsdkd94Wt%2B1LRHHkBHaDW7PqntQXRecjr%2Fa9idW6XwshKibZ00x%2B4s8pPhOifu5RP50H8NLe%2F4V3SIdajS3dQvkDP9UqmOJlOWBrC0r69zoaEGGEfkfQi1CEba4wvXfPM8y74L7ITDe3Yj6QCMLOnrTMRADc1e29KAc1aC5sKI%2Ba6tQWSaawZpoFXY8LPcZqFLtue1nh1Em7PyJXxcPqFIois%2Btfi7XdSXSGoMISk9F%2B", "Additions: resourced by Q.Vashti 04.17.2026 - credit crowdsourced information & personal research", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "Name: Invitation - Santa Lucia Celebration.msg \u2022 File Type CDFV2 Microsoft Outlook Message", "Research Suggests:", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/59bd2b3f9e4fbc79518a31738080bc4b9b35b42f6e5a3b5c3a306e0b9aae7f2c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530394&Signature=EFtQdaqkkeNu27kPO7Zob0bl261oVyzlQmNL5Z9HnrD%2FemHBUX4%2BsRO8wGhrK9e53idu5dP%2FqFvjC3fYYvXzyeKs6x0kO0IqPs5Pp6y422zCXP9gKR7xBfnQIQtmWDVaBb4znOzF35Jd76v4D1Y4btKPazPqsa2hq38U%2F2BTS2Fjqng%2BtZLtgjXCV7Qy1iJuoL4wZxus6aU6uyk4Gt4%2FwQOFSxhXM9Sg6EzneRhhFzAhHkOWzW", "Binary Profile: The 38MB \"Big One\" ShellCompilation: August 8, 2018 [Static Layer Foundation]Packing: UPX v0.89.6 - v1.24 (Markus & Laszlo)Signatures: SHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0Structural Forgery: The 38,351 KB footprint is intentionally bloated with an unmapped overlay to masquerade as a legitimate system utility. This specific variation exploits the RichHash 99b5586e... to bypass heuristic whitelists.", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/af586c4273d941f49291bd82b3363e97ec68755793a06e6982d8e5291e461f28_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776607834&Signature=hyJ%2FTXDs5ybL7Px0RGD8qpbR2mhMsw9TGnNlVw1emJtvQUIxQ3fbIohjSdWraqmbe1ed3W0qMGeOjKauzQYJM6g4YT4TvdlSBfruPE0NYGLVLi7m2GB6fGGn84yrlYQ34ioU%2F1vJ6f%2FItzTch0a9TpisvD%2FGLq%2FEngakns%2FkmlbkSwGqIlsWY7fVv5H%2BjLF7n%2BKoiRgnElJKbZIKXhoyatx0K1hwEm5FhR2psWxfTwyv7bs", "Backdoor.Win32.Pushdo.s Checkin", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402433&Signature=fzgApvZFpRqQQR%2FqOj4lIRpve9d%2FyvYl04itAdLoyMKXstzu2CT3KiOmR0Zp4euPLDwcqskfB1E8tMlbjB8jhJK8zxF0gmN1NZoL8H7rNi21bXimGf7obVucirIj63DjHLKtV6QVELZnTvfmviaEHkX2CDHVqArFgOaezhS7msZ273wDaQSWcJHNpo2%2F14v1YenlTvV2ynBHRfDaYamM0MsLpdmz%2BrfI5K2P%2BzE8SZyW%2FzGrfF", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402546&Signature=QcJ3mvV%2FEBhcZxMeAJUxKHP%2BPI28f7pnarMn9PpZrvsxLKxpRmkwXjvTZ7Om3GJ72ykfji6gfNpRgDYK2M5Ft44D72%2B3kjMqJuRZmObcTY47nG2d7OuUbNBYufoqyoBiIA5fdiiOVARm%2FULdQ4xMo6P5wUBttgRiwF6qTcnefajnbn8ULwKmwsG%2FkP6CjI4ZsID7VI9Qq%2Bo08eFIH15kLUfrA%2B9XRExHTGoheVAld%2BIBpqgAn%2FgV", "https://vtbehaviour.commondatastorage.googleapis.com/79b0e5df7c5ebe1b2967a3d161ec0283531f20beb58cd8eb8e343f7ecbf0e142_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531881&Signature=J%2FX46%2BkQxXt0avuUofAv2FrDA2NcHoY81F%2F%2FCOybzM72s9GqDbl34Hk6nMuCyVJ9cyKFYU4dKZ5PGnS5MZLN7tzYDYnGF6tmsCd56oCgYS4IN8%2Ffm7xi81ELi3QsBaKZaSKBYTcBzQZOzBgTX%2BjFL%2FH291KDNrb5QKNV0OYNHKzFrKXUZzUNPTZgDw2%2B2XVV4tQzxtRNdm0kQW19OOOv29%2FY0E9CK9qRsl4Nu2otAW", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402306&Signature=hf7TRgRfZ09UHHXoMh4kZC9nDUIFKmmOpbEGQL%2BRY%2BhxSyC%2F5C7YQCpHUlVYDnUyZ0YvtO5z2T%2FDZyUuzdmJGopuc8AzF%2FV8l2v3cboHR37ku0q9rSds5%2FuHStLQXakQki1S74aBixjHGRWwNse3XqlIxOXzaD2bMaMuLtxp2DJjycVxWnTWgG6IkLKxn17cY9GrfaVqdbkUOsPiPHhzJv4KD5Gu1wPjbRqkgfFIBCOOShM1M%2F%2F7Vz", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403775&Signature=jSzPctxlS%2F0o4jpadvN%2BG4XQ69muJMHwIQZNulWuy1D5cGeaZqaL6bj2dP2Keh43XTfPBvmpE0l%2B%2FK%2BHsi%2FLbUvfQJB0Ow%2FoH9zplQpYc%2FQs7rxg7IPb%2BZA0uWqA2bccRt1JYYyXi%2BUvK5CsfeXr8DeAo3W6wHLwqwQfirNfrhBeO48dDsEJyUcFRn8NqorGiudjV8PBV1VK9rS%2BogLTZ7Wj1wMnBipbOgm6lOYX", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi", "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405312&Signature=aw4LTG90scEntjzrTn2oehQRQ2tyA8wKnsPgZzPJrOGU40FyGhgYV1GthrkNFo94u%2Fl9EaczgTtRWvIfeZW9JFU3mPAgAjE9FRonw9R8C9f5tN3mcg0SJUwG8NRDlzMOEvN2MjaY%2FuWLiTbz7xXWj9DyUrPzKGhkqw%2FAcv0B%2FWjesEVgf44XWE4mm95o%2B4x%2F5ZxZ2zEhXNSmJ0qL66Xpsq6Vl7cjbIkPNYp1%2BDZCQ7qObBP4", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/af586c4273d941f49291bd82b3363e97ec68755793a06e6982d8e5291e461f28_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776608198&Signature=N5AMDdOomLkmCompJzyYyrKb70Dt3nkBA2WmItg2wH6lcZDEqCt9pFe6xjRCi4BUBNOVGWgmAb2xg9tPXQ1mJghdn%2FehssyS8JLpmPFRDGeH7r2ULHprDQ3%2BoXTR9IC38%2F8K1ED36yL6kqTBdr%2BTYNi71%2B6rs%2FBqPgCVgVBMfrtmZHg49tzBjd5GNuDWptnb9gJVuovKjCJh2Ure8hIjmfG4I95r1rmZhHHgE7hRIBqB", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "FILEHASH - SHA256 966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281 ->", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402679&Signature=tYgx%2Btx9Wo5u4OONyhm8h8HlC8ikfb1WagGKhy3grrUW6vFIL998hEF8Wpe7avm3ErO3WihRVaUQOsrOV%2Beag%2BqPh35di%2FAuTjcO96quMa54BzzpUbwLqc8Q3OSyFORzvewpEF2nYlGg865A1Vy5go4hxDKI709M1sYpKoV5FGB7ed%2Fa9z0beRBh0XlEIyPluTNf08ZGoATIA7rEsDrFHAWS%2BK72cMBe4e5LrJepBNWw0c4%2B", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531236&Signature=hz%2BT6I69NdrwImMGk8kcXqNnwp7K7z5sLWg7P7JvUVEckT5yV9zVAooLzjLyQGgNBxh%2Bw35npaMota9ooiK%2Bd3BWFd%2Bzr%2BUm76cQbsuLV5NH2LWXQFw1YzoSEXeXl4wmdHCWX4%2BP9tulqXFWpRQ4oOvqHWV10QWM4ubzWdft4N%2FCy4fQ90Iubm%2F1ywQ%2FuG66nNIy6ArwArpf2Md9Wb2k%2BVSwvmrPJqDUAM868u1jznd8SeGkYX", "https://vtbehaviour.commondatastorage.googleapis.com/92130c8f1b6fc79dca5b103ac30bb118c92a9f877d6d5db67430b9dd40025d40_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405020&Signature=tTwKGyLIe8DNefa6LIf3AdycaRcbew94iXL6Zr%2BWMysNIuhtlIyEu4twuamne%2F5ijUNW0mo8fmhQ1VR8SsNpYxfE3Tk10WIfijvHyvcsfI6Yjj7syNsMDDbY5wRt22eShn0pJOnZ5gUbNPB74ucvYcq3DZCND9aJ%2FIq%2B71NVEcQHcCtZlsIcoutjIJh6mpzImo07ZZ5XcaiayiW4FpXkiaen%2BCn%2FaD1Yjb1%2FKFufmJ", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO", "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ", "Do Not Run", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi", "The Spy Loop: Beacons to the squatted infrastructure (*.webcontent.com) and associated IP nodes (35.208.49.255, 18.208.88.157).", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405119&Signature=zoh6wk%2BZ9Uohe5PZRAKPdhx9ruJ6BNx1cKG%2BFFPbD%2FQQJn3%2BgXv2%2F5JqX%2FT2zSw6LAkU%2FF%2Fzis%2FBUi2fyvifCnqG649sCld%2B1%2F%2BoJGdyAiGyaEp5aCn49BNYMeGLyi6gBjH1H%2FBldw7v2MAVOCEFX8A%2Bfx3T9j4Yay4lCVP2CRzUfPdJLNaJSvkU3wwfK%2FBJG9mDTyyuqQ%2B%2F0FPGRmvc4ZhYQHKh", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy", "XOR_embeded_exefile_xored_with_round_256_bytes_key", "https://vtbehaviour.commondatastorage.googleapis.com/117a61ad457cb776ca2e337cc04dce86510931b1e311b02e709a5e6c486333c4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777196704&Signature=oj%2BDJfu%2FPrkzTQYzv%2BNGIb7bMBOERBArPqSmhPICbJXukp7MyQm%2FhSDqT3TSgCuwYbRMqjTmAdHa9EBQ%2FCjlr3PdRe5jLJ3yEljzhIZMVkux2h7EGR9NvtyGFd0b4G6DcOYfzDyXI7IIUvEDVqDTPa2biRIlSwUKAXKvFLQvemNBTNwAt6ZWjRPcsjpgkPpPBVYA6mGR50QOtob74rarfPZno74N59OZkm5XoVm7mwuzGXDl189f", "kefas.id: Crowdsourced Sigma below | Malicious Score High", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "Edge Node Impact: This \"sloppy\" intersection is what allows the payload to burn through edge security; the gateway sees a valid .NET structure and a valid WebKit process, failing to recognize the 777-anchor forgery that unites them.", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530336&Signature=p6VwVgKhapyzo9Qdy2STgvqVBCILyIVDELmCCzKAI3VnzeLfXf8kMElRnqtXzyceHxnFobEu5%2Bzot74n2%2FKVdQLGgjSNmpbV1vxI4qIMW44TnqKJz7q%2Bzl9L2qPXk2Xd24irnPUYT4Z6b52nITm3rElixM%2FxW5B7cYrEPVdMEQQ3axn7fZMtVXkHyakt5UbZUnglSc97W7kjMO7OSb6qTfAhWNZuFLn0hPzN3JeCVc6eH2VaF8qrMW", "https://vtbehaviour.commondatastorage.googleapis.com/1c515f592472daa56b5dfb73f1cfb421177bccda1475a9f28ce329c97e17ee5a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402736&Signature=cMwy0s44mI2KEExAz3Mv0ahtxdPxHk2QnEYZMoIzkeHz6hkMLCxpY5PdTkUOhnhOccVmLlmhn5Wx87K7G5%2FSeOFVRnv9ov6fxkKV4KYqKR%2Bq6hBQ7yju1HSFlRUwnDt32CJlcx9ULx60AfFkXOjbc21UWy%2BUYe32SPTiCL5%2FTS8FrFsXNI8w6oIdKSaAoGo1cRrK1I3vAB%2BR93vbnHBYIDivvFAA3MYOYrQAUO8X3rHcUU", "https://vtbehaviour.commondatastorage.googleapis.com/7f9899e42bccdd1d6479b573fb1bb9277b4bd42e8f6ef73c5456f606949e7cf5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530727&Signature=xFLQpUtdhw77th%2BADVS4Sl3y8VCEFYpShlfIJ6D6zJme%2BtY0lUlxv2N7hvxGbwSTYKBYQSyu735BqpgvSUc5e%2BC%2B9XseD6ERlB2kCJmvUPalqCOgZABMyb6mGaG5MMGgxP19UjM1qrUOxI2iJSjEQQ4LLmmkLf7%2B6XGhtqkIG4O2hZ5ABCrdbqytgJkuVl7VMDYelEnoYLLma9GDq1ytLfUObtoINW48v1xg1Mykxldjv6gV2DWr", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404482&Signature=pzkjsdl%2FSRdVnXtKm74mqbETIgdy70CIbXyiOiFOEF0jkgthIekpKrvOpI2fDHbD5SfhqlkdAGCojl7fw86XmmyeItDqqiAG9dm%2FNUjZEwCKOgEtOEbtbqZq7XNJtBASf1%2BD8aCxIOuhSWuXfh8wLD5urtXfwjLRwIlElQblSTCgiI1CRaM5yXCzXkLMFCKc2cAlYl7qcxAcv5apZcyxWxszijCP3FHGduK7BA0PIoPX%2Fjs3bZs3Rto", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "This binary is a foundation-level threat designed to embed itself into the internet's cached trust model as \"static noise.\" It bridges the gap between the .NET/PDFKit and WebKit/QuartzCore environments through a triple-chain polyglot signature.", "Name Servers PDNS1.ULTRADNS.NET Org", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779439368&Signature=CDFw0%2B8LvB0k7nbKeUPwBR%2FfS5URr4xkEa2F4j12yJ7df5yIucYFDJweGXE%2BExkhEyGCO5CWuoTJB0K%2F6Rpxgfnlabbn5ygiAsFOnib4deEJdbcSyN3Gy9Kws8AW9KqC0rNuo61G5054uz8o49zs3kKm1T18tPWnUdh7hoAvUZZd%2FYUxruCfZvqZhlpNuf5GDd2wiMtdi5FN0gjAWablDvhxF3tIQ15UvXQMm%2BBmTkTGDpYQ1N", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/117a61ad457cb776ca2e337cc04dce86510931b1e311b02e709a5e6c486333c4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777196678&Signature=HzcyQV1X4%2BZuxALwV5MKabxavBVI2pXXV%2BqZ%2FxjbZGEzJLq3HvfBlhoJvnPO72cTsUYIRIF8xWwC5jRcagGjKfbaLJN2X5M8YJLFvzNW8EUuKXbP4HlPUyWW4vdbPPfTDk7AH9O3Mc%2Bsqm0rUu1TTZ5W30gnKw%2B8w129EjLK4TTXdxBhsVZflHp65tluC8NtT6PKr40eTUW79dRIU4EmpzQYixwP5kHPdWny4lMV2tyDCM4BVbj5jGGjOMlG", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/8a7e906f7a61cab63e462258f69c24e3425fa54e5e90cdf68b495c4fd04a1982_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779438540&Signature=vQDqnOc819uwIf0UqNrPAXjrnU5lZulCRWIGBinfcBaYOLutIIcBkwpwhJn4GTrg04JjCxqIcZ43GlpX%2FYhN5uiLQZ5Iq0%2FZl1WfsxOy3LhAomStnIrBU0FvlkCre1wYUHlPoU48crf8016tg9ioYlD%2BwbWR7jeN%2Bk5Ji8P0ipnBOP7K0C822Ae5VenOIz4a%2BB8OR1YdodkTomWdLo46lmTdc899jW0IxF3msxKmV4nal0ZD4aeX", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Trojandownloader:win32/cutwail.bv", "Trojandownloader:win32/cutwail.bs", "Win.trojan.pushdo-20", "Cve-2022-26134", "Trojan.dukes/xmldrp", "World media", "Slf:msil/pstanomaly.a", "Xored", "Norwell" ], "industries": [ "Judicial", "Government", "Legal", "Telecommunications", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "6a0050a3b1d71cc50840286e", "name": "*Dormant Destruction* VirusTotal report for index.html", "description": "This threat intelligence pulse tracks a long-dormant wiper, dating back to the early 2000s, which has persisted across multiple environments undetected. The malware features sophisticated, \"hidden\" destructive mechanisms capable of widespread data wiping. It appears to leverage administrative-level access, allowing it to move laterally and compromise systems extensively. Continued inaction regarding this infection chain poses a critical risk to data integrity. The ONLY way to fix this as it has taken over the root is by addressing the problem for what it actually is, the math and drops do not lie, deletion and new certs/exp certs will fail. The science is clear, the answer is foggy. Its best to see clearly.", "modified": "2026-05-29T19:06:32.951000", "created": "2026-05-10T09:32:19.100000", "tags": [ "mitre attack", "network info", "processes extra", "meta", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "system process", "sigma", "united", "federation", "file type", "yara", "creates", "pe32", "intel", "malicious", "persistence", "window", "default", "cname", "inprocserver32", "shell folders", "parent pid", "full path", "command line", "accept", "windows nt", "win64", "payload", "shutdown", "tofsee", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "win1", "acrongl integ", "adc4240758", "sha256", "back", "windows sandbox", "calls process", "kb body", "civicplus", "network admin", "net192", "net1920000", "icone2", "llc orgid", "houston", "suite e", "city", "ks postalcode", "orgtechhandle", "orgtechref", "houston address", "e city", "address range", "cidr", "network name", "type", "status", "whois server", "entity icone2", "handle", "algorithm", "key identifier", "x509v3 subject", "number", "issuer", "cus cnrapidssl", "rsa ca", "odigicert inc", "subject public", "key info", "thumbprint", "entity", "rdap database", "iana registrar", "host name", "links", "v3 serial", "cus olet", "encrypt cne8", "validity", "key algorithm", "ec oid", "value a", "please", "javascript", "ascii", "json", "openpgp secret", "extra info", "spawns", "layer protocol", "attack network", "allocated pa", "date", "ripe", "alphen", "rijn", "urls", "suricata ids", "smtp", "poland", "france", "germany", "canada", "japan", "slovakia", "toggle", "msie", "post", "wpaddetectedurl", "settingswpad", "wpaddhcp", "wpaddns", "dynamicloader", "static analysis", "first", "path", "enterprise", "service", "close", "zenbox android", "info", "pdf document", "adobe portable", "document format", "sha1", "bootkit", "loads" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/e1b97b7f87063caf2e7a8ae6c7ec834006eb3a3753f185415adbd3ab4d063662_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402037&Signature=YNxp5VCG9MJMmG%2F9SM0xFj86aE%2BDn4d%2BloEbjzGdWh57oS%2BoKZQuQ4QX6wuKgoTNgbG%2FJXPBfOce4rMNJK2biVU0MQNsEcn6Rvez7%2BPKxBDgTVfW5ZqYvEIC4%2BPIP5R7Wz5S9lD88AhsPMpRD5uNmWf8UCUEtZbDvU7gCQ55%2F9YjNz4oKzn%2B2zIIaq1ZfP2RPOZAJmU%2FryFIfChNBecPcHBhrVolEMxMMG9aDrJTiyT4dyIQ4M", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402076&Signature=CoPEm0rKM9zwB6jfYndZxnY5%2BHhs4eKx7qJL%2BE5nSaoEFD3ERDi7iaNDKE1KQxnCcmgEph04lJ80Ske0vRMKuUyMKplSXMUL%2BMze5w54QIipWo%2BIpHNq5nBajpvcTxzX9cvn4XFMEfOqwDud1H6YsOFGMotCi0%2Fqhuoq5GfohsdoBJtIDdIpnPyhaH%2BxNkWtB0pKkulsN1pBugmA8C9tjFan9P%2F%2BH3gzFI84nd8t6BWD%2BoecalP%", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402098&Signature=xdj6GkorlDc6S8s%2FMjlB%2BNQyXwa%2F1fpMkkOwWytsu1U3NwFTxbNfgkNR4Exa7frC11A9IyqmxX3rDIHw%2FZkYR%2Ba2IC16wTto%2BuFOj1KtZVJjsGwgG5HsGoJy8xfiNvBfMKxGZk0wuBG%2B0VlG%2Bp1dDWariTtLVxuneQjQUwiSWFqStKrdJjFHrfhqdSxggVR7Kq31S%2Bw0fbveIvONeGSv%2FULwQAZ4V%2Be0wea94lxz", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402306&Signature=hf7TRgRfZ09UHHXoMh4kZC9nDUIFKmmOpbEGQL%2BRY%2BhxSyC%2F5C7YQCpHUlVYDnUyZ0YvtO5z2T%2FDZyUuzdmJGopuc8AzF%2FV8l2v3cboHR37ku0q9rSds5%2FuHStLQXakQki1S74aBixjHGRWwNse3XqlIxOXzaD2bMaMuLtxp2DJjycVxWnTWgG6IkLKxn17cY9GrfaVqdbkUOsPiPHhzJv4KD5Gu1wPjbRqkgfFIBCOOShM1M%2F%2F7Vz", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402360&Signature=QdukcaW5xWJAXHy7L5Wlrhp7Fbl5B7ruGInmUghMlbYS%2B58VlmR8pKCqWOru3Ayq%2BnCHEi7svEzUEZPH%2BTxVPOIz4QtVCb1%2FyyJBXuYJNrhX%2FljFo%2Bj%2Ftqgb%2F7PgRCo3UBr7cGbLq1%2FEzSBiwApZqUhcDGTIw9uFhxd1XZLcODEu%2BBWIQW1Bcaq6al%2BMVclyuNjGF08msv99Y5%2FsufmOaXETQ561NMUtg7Kf4Y", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402433&Signature=fzgApvZFpRqQQR%2FqOj4lIRpve9d%2FyvYl04itAdLoyMKXstzu2CT3KiOmR0Zp4euPLDwcqskfB1E8tMlbjB8jhJK8zxF0gmN1NZoL8H7rNi21bXimGf7obVucirIj63DjHLKtV6QVELZnTvfmviaEHkX2CDHVqArFgOaezhS7msZ273wDaQSWcJHNpo2%2F14v1YenlTvV2ynBHRfDaYamM0MsLpdmz%2BrfI5K2P%2BzE8SZyW%2FzGrfF", "https://vtbehaviour.commondatastorage.googleapis.com/242cf4ff8a4167353b01b7cfc7ecc5430c7ce4a385a3290c43dd28c016f03761_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402546&Signature=QcJ3mvV%2FEBhcZxMeAJUxKHP%2BPI28f7pnarMn9PpZrvsxLKxpRmkwXjvTZ7Om3GJ72ykfji6gfNpRgDYK2M5Ft44D72%2B3kjMqJuRZmObcTY47nG2d7OuUbNBYufoqyoBiIA5fdiiOVARm%2FULdQ4xMo6P5wUBttgRiwF6qTcnefajnbn8ULwKmwsG%2FkP6CjI4ZsID7VI9Qq%2Bo08eFIH15kLUfrA%2B9XRExHTGoheVAld%2BIBpqgAn%2FgV", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402679&Signature=tYgx%2Btx9Wo5u4OONyhm8h8HlC8ikfb1WagGKhy3grrUW6vFIL998hEF8Wpe7avm3ErO3WihRVaUQOsrOV%2Beag%2BqPh35di%2FAuTjcO96quMa54BzzpUbwLqc8Q3OSyFORzvewpEF2nYlGg865A1Vy5go4hxDKI709M1sYpKoV5FGB7ed%2Fa9z0beRBh0XlEIyPluTNf08ZGoATIA7rEsDrFHAWS%2BK72cMBe4e5LrJepBNWw0c4%2B", "https://vtbehaviour.commondatastorage.googleapis.com/1c515f592472daa56b5dfb73f1cfb421177bccda1475a9f28ce329c97e17ee5a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778402736&Signature=cMwy0s44mI2KEExAz3Mv0ahtxdPxHk2QnEYZMoIzkeHz6hkMLCxpY5PdTkUOhnhOccVmLlmhn5Wx87K7G5%2FSeOFVRnv9ov6fxkKV4KYqKR%2Bq6hBQ7yju1HSFlRUwnDt32CJlcx9ULx60AfFkXOjbc21UWy%2BUYe32SPTiCL5%2FTS8FrFsXNI8w6oIdKSaAoGo1cRrK1I3vAB%2BR93vbnHBYIDivvFAA3MYOYrQAUO8X3rHcUU", "https://vtbehaviour.commondatastorage.googleapis.com/25d9183d8c0958f0ddde370d964d9729aa40c9faef270c4a9bc4301a07a8ed37_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403579&Signature=AdxQo3GHHARKwoNS8r33uGWFGkXoZ71d5KmoiPTM4yephbPsZTXn%2Fb%2Fobup7NTbAQcceFe6Rx%2Bx8n9O7KKQoInOEewOENKdE7pnMJddLDxmAMPXDDYV%2Fhm5MkJLRljcyhU6lcX2ESSeND4A5g0qI5MY1QBoAFwJhRpC%2FSzDOxuZ8tdvV3SaOSXEj7XhJjNhnyrB4g3z2nyfkMo0xa8iigqKnzgq%2F%2B7tOpwvy6uB1S2", "https://vtbehaviour.commondatastorage.googleapis.com/3db1349cf555337f7e1bcfaea53710a33e1b3d088e12b0ab2b416cb1b43df7ee_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778403775&Signature=jSzPctxlS%2F0o4jpadvN%2BG4XQ69muJMHwIQZNulWuy1D5cGeaZqaL6bj2dP2Keh43XTfPBvmpE0l%2B%2FK%2BHsi%2FLbUvfQJB0Ow%2FoH9zplQpYc%2FQs7rxg7IPb%2BZA0uWqA2bccRt1JYYyXi%2BUvK5CsfeXr8DeAo3W6wHLwqwQfirNfrhBeO48dDsEJyUcFRn8NqorGiudjV8PBV1VK9rS%2BogLTZ7Wj1wMnBipbOgm6lOYX", "https://www.virustotal.com/gui/search?query=entity%3Adomain%20txt%3A%22v%3Dspf1%20include%3A_spf.tierra.net%20%7Eall%22", "https://vtbehaviour.commondatastorage.googleapis.com/e4aa1bc4332b59e6b635189e3225cc8544fb73582755d33ad1cee10e02be92a6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404284&Signature=C8BgIjJ%2F31gsdkd94Wt%2B1LRHHkBHaDW7PqntQXRecjr%2Fa9idW6XwshKibZ00x%2B4s8pPhOifu5RP50H8NLe%2F4V3SIdajS3dQvkDP9UqmOJlOWBrC0r69zoaEGGEfkfQi1CEba4wvXfPM8y74L7ITDe3Yj6QCMLOnrTMRADc1e29KAc1aC5sKI%2Ba6tQWSaawZpoFXY8LPcZqFLtue1nh1Em7PyJXxcPqFIois%2Btfi7XdSXSGoMISk9F%2B", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404411&Signature=dDeNHkYz7S95CZY9qSQzDB9AfgnyHXFGIReDdaHaDiB5ZXNnbtM%2F410nKqbHWHWJ8Q8bbbEfQoAPf%2FecFgT6tD%2FDSosX0UvAii02cMO6IULYvtc3OppP9pf%2F2lRoJVo%2F%2FXUZ4%2FeW7%2F7LuofcP%2FEFFhmyJ%2BqaNSvA4vyaLkN04qrLrEeK6fgwrinWDCD9DJYx%2B6TbUZL%2Bdh1bd59v8P%2BN52%2FGgoeZd6m6I4%2FHErxr", "https://vtbehaviour.commondatastorage.googleapis.com/edd67d9681efbbb020648caad34b4ef8ad01ff4e80b54fb771dfa875fd9c85be_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404482&Signature=pzkjsdl%2FSRdVnXtKm74mqbETIgdy70CIbXyiOiFOEF0jkgthIekpKrvOpI2fDHbD5SfhqlkdAGCojl7fw86XmmyeItDqqiAG9dm%2FNUjZEwCKOgEtOEbtbqZq7XNJtBASf1%2BD8aCxIOuhSWuXfh8wLD5urtXfwjLRwIlElQblSTCgiI1CRaM5yXCzXkLMFCKc2cAlYl7qcxAcv5apZcyxWxszijCP3FHGduK7BA0PIoPX%2Fjs3bZs3Rto", "https://vtbehaviour.commondatastorage.googleapis.com/28371ee176b88da4266741c4e9f6786b41810ab8ab564aa5fb3de0c08d8f39b3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778404622&Signature=X15DH2Rnn%2Fviy5Mx5jkaDvWzug5gYktkbXPA3dMrveSe0WEa3VYZtYI65kZU6q8MA50N76ZCKDY5M7HqhcLPRAsqUTGrvP231Dp1DVn0s0h7HPxFW4a%2BXdD96Xbx39ACwMYWVIZQC29BDFEhRj56BLif2KGyA20VlfKn0J8L0dbmnkgykOPnK70X5%2BRs0NQZ3olmkq%2BAMLwMkt3DcxhaEc6x78GH5eTgLoPKaBe2x8QvOYUrWxhy", "https://vtbehaviour.commondatastorage.googleapis.com/92130c8f1b6fc79dca5b103ac30bb118c92a9f877d6d5db67430b9dd40025d40_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405020&Signature=tTwKGyLIe8DNefa6LIf3AdycaRcbew94iXL6Zr%2BWMysNIuhtlIyEu4twuamne%2F5ijUNW0mo8fmhQ1VR8SsNpYxfE3Tk10WIfijvHyvcsfI6Yjj7syNsMDDbY5wRt22eShn0pJOnZ5gUbNPB74ucvYcq3DZCND9aJ%2FIq%2B71NVEcQHcCtZlsIcoutjIJh6mpzImo07ZZ5XcaiayiW4FpXkiaen%2BCn%2FaD1Yjb1%2FKFufmJ", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405119&Signature=zoh6wk%2BZ9Uohe5PZRAKPdhx9ruJ6BNx1cKG%2BFFPbD%2FQQJn3%2BgXv2%2F5JqX%2FT2zSw6LAkU%2FF%2Fzis%2FBUi2fyvifCnqG649sCld%2B1%2F%2BoJGdyAiGyaEp5aCn49BNYMeGLyi6gBjH1H%2FBldw7v2MAVOCEFX8A%2Bfx3T9j4Yay4lCVP2CRzUfPdJLNaJSvkU3wwfK%2FBJG9mDTyyuqQ%2B%2F0FPGRmvc4ZhYQHKh", "https://vtbehaviour.commondatastorage.googleapis.com/910c6d6b843dae92d9b13230244646f972dfbc3136b8455916c74e8d6da423ac_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778405312&Signature=aw4LTG90scEntjzrTn2oehQRQ2tyA8wKnsPgZzPJrOGU40FyGhgYV1GthrkNFo94u%2Fl9EaczgTtRWvIfeZW9JFU3mPAgAjE9FRonw9R8C9f5tN3mcg0SJUwG8NRDlzMOEvN2MjaY%2FuWLiTbz7xXWj9DyUrPzKGhkqw%2FAcv0B%2FWjesEVgf44XWE4mm95o%2B4x%2F5ZxZ2zEhXNSmJ0qL66Xpsq6Vl7cjbIkPNYp1%2BDZCQ7qObBP4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 669, "URI": 3, "FileHash-MD5": 121, "FileHash-SHA1": 131, "IPv4": 285, "URL": 346, "domain": 286, "hostname": 274, "CIDR": 2, "email": 2 }, "indicator_count": 2119, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a062736db89f7c827b1d4", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:58.595000", "created": "2026-05-17T18:17:11.966000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 301, "FileHash-SHA1": 313, "FileHash-SHA256": 774, "URL": 667, "IPv4": 241, "domain": 205, "hostname": 612, "email": 5, "IPv6": 2, "CIDR": 1, "CVE": 23, "JA3": 1 }, "indicator_count": 3145, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a06582d0722271a4599d7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:57.618000", "created": "2026-05-17T18:18:00.792000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065b8e1ccb825970a9e5", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:56.390000", "created": "2026-05-17T18:18:03.742000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 523, "IPv4": 159, "domain": 194, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065be823d8e9966e18ce", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:55.117000", "created": "2026-05-17T18:18:03.751000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 464, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2658, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065d1177dadd6522914f", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:54.028000", "created": "2026-05-17T18:18:05.783000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0a065ebc76096529b575c7", "name": "\u2022Belasco Chain *intersect* TTB Chained\u2022 CAPE Sandbox", "description": "The Belasco/TTB Chain update: this ever growing multi-layered evasion framework that exploits enterprise document validation workflows by embedding a forged, tamper-evident cryptographic signature seal inside high-value registry templates. By manipulating server-side serialization routines, it injects malformed metadata into the uncompressed cross-reference table bounds, fabricating a hollow root object structure with passive /XFormData anomalies. When processed, enterprise parsers encounter custom structural loops, causing them to bypass integrity crashes or broken seal alerts and instead drop into a silent fallback mode that interprets the forged stream as a trusted, vendor-signed telemetry directive. This structural coercion forces an outbound handshake mimicking legitimate corporate update traffic, which routes back through localized microcomputing nodes acting as reverse proxies to mask the true command-and-control footprint within residential IP space and evade standard detection. \n-msudosos|LB", "modified": "2026-05-29T15:11:52.618000", "created": "2026-05-17T18:18:06.287000", "tags": [ "sqlite", "query language", "id http", "nomeente http", "t http", "us locality", "registrant", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "modified files", "files nothing", "performs dns", "drops pe", "binary", "urls", "mitre attack", "network info", "dropped info", "processes extra", "file type", "pe32", "malicious", "persistence", "defense evasion", "strong", "library", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha1", "crc32", "pass", "accept", "false", "span", "ultimate", "body", "widget", "winoptimizer", "shutdown", "copy", "open", "title", "close", "black", "next", "code", "backspace", "insert", "updater", "courier", "format", "root", "reload", "hotkey", "already", "click", "date", "strings", "wave", "typeof t", "function", "sufeffxa0", "typeof e", "typeof define", "typeof module", "required", "migrate plugin", "migrate", "backcompat", "default", "acrongl integ", "adc4240758", "back", "t1055 process", "overview", "overview zenbox", "win64", "sha256", "windows sandbox", "calls process", "pdf document", "adobe portable", "document format", "win1", "bootkit" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037724&Signature=uToOiWIuOE7HmHpjXF9x0LXyk5S3JEVInipJNmZN5YG9yo9W4BEM31FI0BLBVL6SPPnOg3IOov9%2BEShIsg%2FDaQ4f763FXUPoboEkZbC3%2Bz7RecDp%2Buu0a%2FwaqPP%2BvmlMGrPUPYW%2BGTKMSXB55oH10Wx4c2ScXzol7FBOvWQkrAExPjFXbG04%2BI5ah8vCwjkEQ9QTftj2hnqKmQ0w%2Bo9aRXzE4POfaSPSMJlwWCVVf7g0", "https://vtbehaviour.commondatastorage.googleapis.com/81b8481537eb962dbf25bcf316ce4d87f159c2211f0e334d77e613a1fd35effc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037785&Signature=vUqSPwSNJcSN7Ho2S1tEy9k1GF8mljX4SFLEZXW44Wj6APnIP8tTsnoNopwyjojL2Aht8kpeB%2Fqz1wQniBTNYFPaDeqm%2FmPL71DHI6BRD0pH0khzM3Lb92EwhPHW0K7ZQio0%2Fbu2PfYw48B9u80NkUHjQfXNrO4vzfv%2FxMYllYtWX27RDxijlqyAKQAUOt89UvH0JKBUbU61AVET2KxEt00XqxrAofpB0Ok8JCVcfpO1QSHvfiOTmV3tpLVsLg", "https://vtbehaviour.commondatastorage.googleapis.com/d23b1f34bdff64dbabaaebc4728c1f4284917e1c35de56ac10e6980e4fcbc6dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779037833&Signature=gSoKZpsajMNj0tOYpNeq3W%2Fa2iwr5Y7omASjVLUwVrwVQb8dxTBm7AOsIYBcPjf%2Fv6g1Nq%2BYKpFRZ2UNGausEbF0YYLQG1GenKiDuPYOIaAAu6i1%2BtQ5n0ahyb97I%2BVfA6D7PU%2FDsdHc41CQXPWk0VfH4dYosFuna%2BtVB%2BGxc5aXUyNdxdmI6RI%2Bl0nNTDMCHcvFyHDZAqA6xo9YUfSvnM0dQ84x4P9LLXLyIQqusJpb", "https://vtbehaviour.commondatastorage.googleapis.com/029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038291&Signature=txUjrnKyzNEEJHcEOwGxtIqCkFr4dOaRDraffjQWzg%2FlECF6kA86F9mWWDEaZoEO7zA8lMrq6HK1P7EUkZ152LvS3CHVZ6Znm403yGKqyxIGZ6J3TUas0UErZrEkbffZT2c35EiyHc%2BX9lfHCirzOWjTml1%2FmHuRdvb7n5TimgNqEz0M%2ByzFdCpNnOqVE1PhBAE0PaihzC5OtSZmDQDcH3eaNkc35Oq6RtblgtvQuJnbDw2b%2F0Am", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038494&Signature=Nuhou%2BrkKB3f2tpK4z7OpbdASYwP6151Wepl0L%2FnwpMAj7rQAsrHrCiDVjb5r%2FKgfBD3PFIp2d8kpIzrbCEPmxSVa%2F7xNWOXn544YOcc5NMxaLi43T%2FmJknbr%2F%2F%2B9dggXczbZdbYT7ggbHBwpgN35N7H%2BcwP8Y9Ly0ubhy9dejuTj5Sxmsax%2BK%2FfaOKh65PiZyKQy4%2BurPDuaE70GDuqJuouRUxTMGY2f35RVG", "https://vtbehaviour.commondatastorage.googleapis.com/409593705b88f65fbb1bbd927124a6d03f5b8848ea42b4a9b1f9c89498277116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038536&Signature=wz69ncxZ645iLHK9IMZmhmUQkfwEPcsBE0fQs1PZmBJDwiJoAE7e%2Fb0nBL1aKW%2BsHkoUEJXfN7mlVUjJGkpmIl1VSipMpvVwoeYN9Ruj1dCNnZFtsKRSCsjEppHvKzvQd7No3fACw4djqhyqFltcCJnuhGAiKSpzPGN%2BkBm9Etjd2HDhg9Ioj8CwIOjKQlL2a9RUpPrAT1WLUiayPGqQkJ%2FQVYtUcFc59mPBMnYHzKUal4Yxa6p3%2FmndAWrM", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038595&Signature=Af%2Be1X%2Fq9MJpvk5cHC6grYvhonz8rq%2FGJfGjh1a2maTQeDKxnyvjqnJlUiu1M3LD8j3Ddn4NhupIoW2z%2FysMx2hmL1awOgTnq4YlF%2FKUcUYKkiqtYFQvU%2FikFgBx4Y8tGokreM%2FhXVntqNS8Z8UrBhAFSvEXKv8J5yb9VVUqJnm981tbTM7JfXSY4%2F1d4Lj9oRtLOf7Na2lGh2io%2FegQnXiWJDswhrtb7JcVX4wg%2Fk", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038710&Signature=sfYWMOms0PEEnSSJfclZZvnWt%2F60HnYpPeGrwr%2F%2F1JNOq8TUCnCe%2FDbwq%2FMnAU05gn2Iw7%2Bpid3nosU7qocyXLnfF41vt%2Bumc5b%2B8%2Fz4h3T17xEyuOTHH3ek2ZhrIiMN4oGDk3eyyBkWBsI0cd84A%2FqgEd%2FBfoXIPZWCBRvCguV4VnqvQZWP%2B%2Fhq6PyKkQnNN2uYm4KgwAOj8vfdBDZPfnMCxheK%2", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779038800&Signature=G9vOza%2FHAZmNa2cRwrMfrPCUYDf3WICntnSFcc6ZIA70lpJSK8CgNQOiacqJq8ciGOb2LCDMPaNRxU4jtAp%2FwBMeb7%2BEkOH1%2F22%2FMki8RSWz5kaXhb0RY9gT7iXHPmBN5g7dxNRF9q31T60j6tGmp07Vs3Pty6u4CFJDIjFnZsp3L3%2FD03E8RqxSqbdbnol3BB2R92pZCGhqPkDK6Qky9g%2FAehyESkjWf8CsU9Tp0jxPmK0L", "https://vtbehaviour.commondatastorage.googleapis.com/06c881d2c6a232ad617cadd8357af9ebc20a0f90691189740d0255707a194f00_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039036&Signature=i%2BTlzWzthguX2AW1S6eYnMMiVqNGD1UaWSumYNg18jZjHMgR0PuRS0p4OaA%2Bf6PqLRWSI%2BN3VpRmru%2FM5fYzx66sbhtge%2FIxJbxEJkDoowwG8h2270jrB7UGmEkSGpWWI%2FJTK1p%2BqjHkfdO0Xuca8%2F1EDXBvC0IuUlNfUulFNUt58kmgQxM7C95aiB5g3YQWbXwGGWZwAZYLqKXEtiDzK9vuw4HoaKs9zgDEgH7etCuZNj", "https://vtbehaviour.commondatastorage.googleapis.com/a61cc21de701bb115d60b010bef85f7eb67ed99acbd01f2f9af8f3852fded3e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039265&Signature=QWTCTIbwJthaWC7tp%2FKqNaavJ0wi9sJ6ca0jxuhKn8d3MG2hPy4nV0vJ2gBQIiQ7KRcOeIsEqnE6FjcKtfJGPY80l7BPlyBxH4hrswuashs1q6Zh3O%2FM616QMUU64EH0EkTWqVxVGwOnw8yH9NCEjNndyPn%2FDZhbDdSlpxDiSZLr%2Fi%2Fo6zJJo5K8dKwe2vHKBPIMsQMNxgX4xc34hxt0LGyZKVY2PnD1dJQrCK7LGcibtrXqOHWy", "https://vtbehaviour.commondatastorage.googleapis.com/0000041efcab1d9f215681d3dc4d80a24a53c697558f0296a8255c3c4b873d77_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779039442&Signature=0zJROvkD%2FB040yZrVRBABTHsgB8H9DUZdeq8LdR%2BNVw0pWsP5xvutlD3n%2B5ZbRB3xXfFINMYeqWGQf7GXzP%2BAuB62ya8Mm1NsGAH3XQ77EtT%2BHJ%2BEUwwrs76WBfI0Y7ouNIur26iLGDWEyGVvvSZuz2ynvgVNMkYyt8avsZpQNWSjH8bae0qIGtalgnC43jweUm4KJhQw%2FyC48igY9MjhiIsNXTlPgVhs31BbNeQBlGtgp6U" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 269, "FileHash-SHA1": 293, "FileHash-SHA256": 747, "URL": 522, "IPv4": 159, "domain": 195, "hostname": 463, "email": 5, "IPv6": 2, "CVE": 1, "JA3": 1 }, "indicator_count": 2657, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69efc567ae24b8285a71099d", "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media", "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:21:59.824000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1037, "hostname": 865, "domain": 685, "URL": 2224, "FileHash-MD5": 131, "FileHash-SHA1": 94, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5051, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69efc7a6778f84c179d27073", "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]", "description": "", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:31:34.221000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "69efc567ae24b8285a71099d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1039, "hostname": 868, "domain": 687, "URL": 2226, "FileHash-MD5": 133, "FileHash-SHA1": 96, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5064, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13d458f27a51876d7949f5", "name": "NOW BOARDING: DARK-ZERO Sheep Tracker * CAPE Sandbox", "description": "Modern threat intelligence requires moving from passive observation to active intervention. In the context of targeted tracking implants, defending civil rights means engineering systems that protect user autonomy against unauthorized data extraction. Architectural Protections:\n0-Trust Telemetry: Designing operating systems where the user owns the cryptographic root of trust.\nHardware-Enforced Isolation: Utilizing Secure Enclaves to process cryptographic keys outside the reach of a compromised kernel.\nExploit Mitigation: Implementing advanced PAC+ Memory Tagging Extensions (MTE) to stop zero-day memory corruption bugs. The holiday serves as a reminder for SOCs to uphold high ethical standards, ensuring defensive tools are never repurposed for unauthorized surveillance. Respect to all.", "modified": "2026-05-27T17:19:19.635000", "created": "2026-05-25T04:47:20.503000", "tags": [ "win32 exe", "mozilla firefox", "zip adobe", "photoshop cc", "rar adobe", "air sdk", "adobe air", "lassa2", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "united", "performs dns", "grabber honest", "layer protocol", "attack network", "info processes", "extra info", "zenbox macos", "verdict", "guest system", "ascii text", "sigma", "creates", "t1055 process", "info dropped", "malicious", "p2404", "p11718783889", "p4de83ek69hqsh4", "p11718784848", "bazaar", "sha3384", "ssdeep", "checker", "themida", "guard", "property", "adobe device", "property name", "productname", "displayname", "destination", "root", "totalsize", "langpack", "swedish", "win32", "windows sandbox", "calls clear", "sha256", "sha1", "crc32", "size", "flash", "june", "drops pe", "crlf line", "sample", "persistence", "win64", "hook", "instructor", "kids goldadobe", "errstr", "cultureneutral", "license", "error", "code", "service", "vmprotect", "february", "back", "number", "mitre attack", "network info", "processes extra", "fri dec", "database", "initial access", "program", "overview", "overview zenbox", "ultimate file", "info file", "Nullworld", "value", "value lang", "buildinfo", "productinfo", "addremoveinfo", "displayversion", "screnshots", "United", "Swedishvpncarrierenrollment", "calls process", "writes", "png image", "rgba", "guloader", "fraud", "phishing", "install", "pdapp", "urihandler", "us tcp", "product install", "gamma", "updater", "Now boarding", "DarkZero", "Sheep Tracker" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2266, "IPv4": 326, "domain": 179, "hostname": 381, "FileHash-MD5": 811, "FileHash-SHA1": 835, "URL": 815, "email": 2 }, "indicator_count": 5615, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "microsoftstart.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "microsoftstart.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780225698.599294 }