{
"type": "Domain",
"indicator": "pdfkit.net",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/pdfkit.net",
"alexa": "http://www.alexa.com/siteinfo/pdfkit.net",
"indicator": "pdfkit.net",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 4199949010,
"indicator": "pdfkit.net",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "69a02837827feb0b78fa3ad2",
"name": "The Belasco Chain",
"description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.",
"modified": "2026-04-19T09:34:35.173000",
"created": "2026-02-26T11:02:15.932000",
"tags": [
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file type",
"sha1",
"sha256",
"crc32",
"filenames c"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2805,
"FileHash-SHA1": 2568,
"FileHash-SHA256": 7488,
"domain": 1883,
"hostname": 1466,
"URL": 1179,
"email": 46,
"CVE": 46,
"CIDR": 3,
"YARA": 7,
"IPv4": 94,
"JA3": 1
},
"indicator_count": 17586,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 53,
"modified_text": "5 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "7 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a12a81af4358973fbdf1a8",
"name": "Example 2: Belasco Chain Byproduct of Certificate Hosted Malware (See Prior Thread #2 Entrust.com",
"description": "CAcert bypass",
"modified": "2026-04-19T07:42:53.546000",
"created": "2026-02-27T05:24:16.997000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 20,
"FileHash-SHA256": 112,
"FileHash-MD5": 8,
"URL": 69,
"hostname": 17,
"FileHash-SHA1": 6,
"CVE": 6,
"YARA": 5
},
"indicator_count": 243,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 50,
"modified_text": "7 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a128183ec6ca56bf30ed90",
"name": "Example 1: Belasco Chain Byproduct of Certificate Hosted Malware (See Prior Thread) #1 Sectigo.com",
"description": "Maelia Cymru, Maelaela Cairn-Bawr, Cefniadol, Fywodraethaf, Gwynedd, Dafydd Sadwrn.",
"modified": "2026-04-19T07:42:52.433000",
"created": "2026-02-27T05:14:00.078000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 110,
"FileHash-SHA1": 134,
"FileHash-SHA256": 579,
"domain": 23,
"hostname": 17,
"email": 3,
"URL": 14,
"CVE": 6
},
"indicator_count": 886,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "7 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b91a2b5f41a30f0055e428",
"name": "PDFKIT.NET, Mostly (VERY) malicious files communicating",
"description": "Facebook.com has been closed down because of a security breach, but its users have been able to access a link to a website set up to monitor what is going on in the UK and Ireland. <<--pretext im converting to hex and sha for my own purposes : (oa auth suspected) hexadecimal: 46616365626f6f6b2e636f6d20686173206265656e20636c6f73656420646f776e2062656361757365206f662061207365637572697479206272656163682c20627574206974732075736572732068617665206265656e2061626c6520746f206163636573732061206c696e6b20746f206120776562736974652073657420757020746f206d6f6e69746f72207768617420697320676f696e67206f6e20696e2074686520554b20616e64204972656c616e642e\nd5f8799abe57544479e57684f50ebdfa\n9a9ce9d2c2760811d408eed6d29837161947df3d\n6a22028e1db2baf162dc321b52396ddb931ac1cc90a06e31009d1e95ea9a5506",
"modified": "2026-04-16T09:05:11.431000",
"created": "2026-03-17T09:08:59.685000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 40,
"FileHash-SHA1": 40,
"FileHash-SHA256": 202,
"domain": 460,
"hostname": 176,
"CVE": 1
},
"indicator_count": 919,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b91460171012d26bc4feac",
"name": "CAPE Sandbox",
"description": "",
"modified": "2026-04-16T08:05:04.592000",
"created": "2026-03-17T08:44:16.304000",
"tags": [
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"cultureneutral",
"acrongl integ",
"adc4240758",
"file type",
"accept",
"shutdown",
"back"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/c8c0f8ff904d4e1d1e8b6b5786a8b09d0fb2bebca7006e42006b818ce0648549_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1773737190&Signature=WjghvIMKtBMi2BQwub8uBrThst%2FxEjK5w4dlu8bnjh9UETNE%2F9rH31%2BReBhbimLEATiWE4EUKipl1Tw2tqe0TMRCS7%2FRB2aOKwQ56r%2FnNnams%2B%2BYnJHqoal6UFGgZ2gBmvYPPxKVwZlA4HA60KW71xAjdCnVss9b1lSU2abtrg%2F2prPWPyK0s%2FdMRfg%2BLRzRy%2FNxbG6%2FnN2lgWQD5LFIIMqinqZwMHRzFGxGfF"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 95,
"FileHash-SHA1": 87,
"FileHash-SHA256": 75,
"URL": 30,
"hostname": 181,
"domain": 47
},
"indicator_count": 515,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292dac938e1d181a38e2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.",
"modified": "2026-04-16T07:16:26.014000",
"created": "2026-04-15T05:59:09.898000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 5178,
"IPv4": 572,
"URL": 5164,
"FileHash-MD5": 1546,
"FileHash-SHA1": 381,
"domain": 1818,
"hostname": 3413,
"email": 22,
"URI": 2,
"IPv6": 15,
"CVE": 1
},
"indicator_count": 18112,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292b85c74fec867e4ed2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'",
"modified": "2026-04-16T07:16:21.879000",
"created": "2026-04-15T05:59:07.274000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3012,
"IPv4": 343,
"URL": 3825,
"FileHash-MD5": 734,
"FileHash-SHA1": 453,
"domain": 862,
"hostname": 1629,
"email": 25,
"CVE": 1
},
"indicator_count": 10884,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69db609269c77812f937026e",
"name": "CAPE Sandbox ----- emulex fc 2.72.011.002-3",
"description": "emulex fc 2.72.011.002-3, Malware Behavior Catalog Tree\nAnti-Behavioral Analysis\nOB0001\nVirtual Machine Detection\nB0009\nSoftware Packing\nF0001\nAnti-Static Analysis\nOB0002\nSoftware Packing\nF0001\nDefense Evasion\nOB0006\nSoftware Packing\nF0001\nDiscovery\nOB0007\nFile and Directory Discovery\nE1083\nExecution\nOB0009\nCommand and Scripting Interpreter\nE1059\nFile System\nOC0001\nDelete File\nC0047\nGet File Attributes\nC0049\nSet File Attributes\nC0050\nRead File\nC0051\nWrites File\nC0052\nProcess\nOC0003\nTerminate Process\nC0018\nCommunication\nOC0006\nHTTP Communication\nC0002\n\nWho are you protecting? Look at your root certificate map to 2018-19. Im not mad, I am just disappointed in the lack of cyber security awareness and cryptographic failures. If I see one more unsigned DNSSEC. Edge node completely exposed. Maybe let CISA and the NSA handle things since they are competent. unknown agency- #burnedyourowncountry.\nPalo Alto, level blue, falcon sandbox, cape, yomi, sec, arc- you are heroes for picking up malware that evades everything.",
"modified": "2026-04-15T19:46:25.951000",
"created": "2026-04-12T09:06:26.754000",
"tags": [
"hbanyware",
"hbas",
"true",
"reportlocation",
"programfiles",
"command line",
"enable silent",
"mode",
"full",
"local only",
"false",
"path",
"example",
"windows sandbox",
"clear filters",
"show",
"fibre channel",
"emulex fibre",
"emulex network",
"fibre chann",
"host b",
"network",
"emulex",
"network cards",
"find",
"UNITED STATES SENT.",
"Still love USA.",
"bankers doc",
"ESign Violation",
"cyber warfare",
"Fraud",
"pdfkit.net",
"CIVIL rights violation",
"geofence",
"whistleblower",
"adobe exploited from unsafe practices",
"certificate abuse",
"wiper",
"Docusign exploited from unsafe practices",
"abuse",
"modification of the record",
"date changes",
"deleting evidence",
"wateringholeleftwideopen#RiskManagementKnowledgeDeficient",
"firmware neutral",
"fraud",
"espionage",
"Iloveyou.txt",
"APTnull.",
"PlutoniumoftheInternet",
"apiabuse",
"Put Zen at risk",
"Microsoft exploited from misuse of power and secure protocols",
"Spyonyourinternalframework.",
"fsquirt.[exe]",
"bluetooth tampering",
"wormhole",
"backdoor",
"GITlikeMITbutSouth",
"pool",
"CloseDoorsProper",
"spellbound.[exe]",
"Wizard",
"GUI of Bluetooth File Transfer Wizard",
" Bezet!