{ "type": "Domain", "indicator": "timeout.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/timeout.com", "alexa": "http://www.alexa.com/siteinfo/timeout.com", "indicator": "timeout.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "ad_network", "message": "Whitelisted ad network domain ads.timeout.com", "name": "Whitelisted ad network domain" }, { "source": "majestic", "message": "Whitelisted domain timeout.com", "name": "Whitelisted domain" }, { "source": "whitelist", "message": "Whitelisted domain timeout.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3351124720, "indicator": "timeout.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6a0fde205095bd98f11dcd2e", "name": "Research part 2 * CAPE Sandbox", "description": "[sample of malware: PCBioUnlock-Setup-x64, for MS Windows, has been found on a server in the Czech Republic and is being investigated by the UK's National Security Agency].", "modified": "2026-05-22T04:40:00.363000", "created": "2026-05-22T04:40:00.363000", "tags": [ "new roman", "hebrew", "arabic", "vietnamese", "greek", "baltic", "times new", "roman", "calibri", "light", "default", "strong", "cname", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "accept", "shutdown", "guard", "pe file", "windows", "sample", "reads", "performs dns", "network info", "processes extra", "pe32", "intel", "delphi", "code", "persistence", "malicious", "next", "member", "p11778505315", "p2404", "host", "library", "thrown", "class", "null", "example", "loop", "syst", "none rticon", "address virtual", "sha1", "locale", "download" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/528935b574adacd37fb70a08c57e923187a88f0048edf13955c17b4ac9b6254f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424576&Signature=HqCaWUtXVqO0qP7OW%2FasttQekub43IxOpVwuNpnAqqHt5pD2k3CeW8D0ZuOjDsOkw4LBA4QQbqNJ8uF0UmEbac%2BHKOyP%2FCf%2B08D7aM0iFPanIPuqxCoSiRjjD1C759Ig9GSDC64CKskQd91puLrezrVudARsxDdIPAJCyAwGDb6Y3L7HlOj5cCucn6k6hA6AetITD1fiTojQEV%2BX9%2B9Wp0Qxeje2jmCgoPHcO2fWBMKX7UXSmC", "https://vtbehaviour.commondatastorage.googleapis.com/53bc6ed33565fe532d0ab10f9fafd2a18de06f9af32276627523a042a5205976_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424635&Signature=d4%2F4WzkSDNNN7zJVhJx9Csbghc4NumQIzYVmFLhdk983TTEjbNgBJJMGjkeXRWH1WR1mZnFiQQ7Mgo1L3lMAyghZch23i36rYC7Da3ktAuDVWv8dZ1P%2B%2FKBPfkOwkRmp9jF96vpOsqtTUoktlD4F%2Bu%2FSt6dwBXDN7ZBz%2F2Aau%2B0QQ4m11sl9wLFOuu1xCjfQKL%2FWdqAda78SKAgiFEx5VZhvpCqaQBEkgpvyGqqtOC8Rni", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424692&Signature=A3e%2FNdGFEcoJrC50Cl1QJdp4vyuRXzYj3rP9Iwn%2F50jQamoXpWTto2LpsHhBehAI3uOMa%2F0EZAXBOsFpoMY%2F4gKZzD19INxr7gSdiBCwV3n78RSx72IwxJWT%2FrQFLc5LqYrfyhYZwA3RbXE0Rg7%2Ba%2BaCBYWZfO6Gf%2BJo7bMuxJ2KdvUp7KrHJsakVx8NR02FFuAwR9sksywzOJDU0EA36q48S%2Ffwge1CpYC0auKTyw3EFA4fQdko", "https://vtbehaviour.commondatastorage.googleapis.com/7568b78ad94202cc4e547c84d56faccb2a9033394945a2abdd1e7defe1b23221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424847&Signature=W%2FpZoFBjX%2F6dqAOlg3u1Cr97bQWQ5vr5g8vo3MlqlHoQB2fgvDONRPJ9HyV3Y%2Fj3bm%2FptwemAyKKhjIjfQu1%2BpjTODHdlc7%2B%2B7CQ9HFpIhSzlPv%2BFz041BPyB4A3V1ai5cjuLZB%2FO1hgwEtS3zskowTaVI7ee6LCl6DfqDdq%2FO8RBndMZ9%2BQdoDiH0Gn3DBe3MHzxR9qkEXls3ok5PqQz2faoqkRtmJp7mflsROL", "https://vtbehaviour.commondatastorage.googleapis.com/7310a1ce46f4c4280e18403044cc3fa3dcbcac3646313096d2e8da082d654951_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424873&Signature=UnLgHEfZz0S4bAc6cvQERC43J5aqbCUMvclTqtNQnkkUqr9x%2FGo0pkzzwsOlTksbn0qypBlpybA9XNQXcuQZlbt3MJrTrbNVqIWdAw22G589Fet6989gCoAmRKEX8dYX1C3%2FBPY4JErzHWREsqzA3aefjsOBRlQ2bEHFnmaaIgCwNcAp79YhAOITJ%2Bhc1FCaMl1hFlkeQ3tgSd%2BJauHkHpGHtktntEv90Mx9p614FUG2ybNPNrz%2B" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 365, "FileHash-SHA1": 113, "FileHash-SHA256": 302, "IPv4": 324, "URL": 261, "domain": 214, "hostname": 464 }, "indicator_count": 2043, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fde1e9d38578f83f2f07a", "name": "Research part 2 * CAPE Sandbox", "description": "[sample of malware: PCBioUnlock-Setup-x64, for MS Windows, has been found on a server in the Czech Republic and is being investigated by the UK's National Security Agency].", "modified": "2026-05-22T04:39:58.097000", "created": "2026-05-22T04:39:58.097000", "tags": [ "new roman", "hebrew", "arabic", "vietnamese", "greek", "baltic", "times new", "roman", "calibri", "light", "default", "strong", "cname", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "accept", "shutdown", "guard", "pe file", "windows", "sample", "reads", "performs dns", "network info", "processes extra", "pe32", "intel", "delphi", "code", "persistence", "malicious", "next", "member", "p11778505315", "p2404", "host", "library", "thrown", "class", "null", "example", "loop", "syst", "none rticon", "address virtual", "sha1", "locale", "download" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/528935b574adacd37fb70a08c57e923187a88f0048edf13955c17b4ac9b6254f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424576&Signature=HqCaWUtXVqO0qP7OW%2FasttQekub43IxOpVwuNpnAqqHt5pD2k3CeW8D0ZuOjDsOkw4LBA4QQbqNJ8uF0UmEbac%2BHKOyP%2FCf%2B08D7aM0iFPanIPuqxCoSiRjjD1C759Ig9GSDC64CKskQd91puLrezrVudARsxDdIPAJCyAwGDb6Y3L7HlOj5cCucn6k6hA6AetITD1fiTojQEV%2BX9%2B9Wp0Qxeje2jmCgoPHcO2fWBMKX7UXSmC", "https://vtbehaviour.commondatastorage.googleapis.com/53bc6ed33565fe532d0ab10f9fafd2a18de06f9af32276627523a042a5205976_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424635&Signature=d4%2F4WzkSDNNN7zJVhJx9Csbghc4NumQIzYVmFLhdk983TTEjbNgBJJMGjkeXRWH1WR1mZnFiQQ7Mgo1L3lMAyghZch23i36rYC7Da3ktAuDVWv8dZ1P%2B%2FKBPfkOwkRmp9jF96vpOsqtTUoktlD4F%2Bu%2FSt6dwBXDN7ZBz%2F2Aau%2B0QQ4m11sl9wLFOuu1xCjfQKL%2FWdqAda78SKAgiFEx5VZhvpCqaQBEkgpvyGqqtOC8Rni", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424692&Signature=A3e%2FNdGFEcoJrC50Cl1QJdp4vyuRXzYj3rP9Iwn%2F50jQamoXpWTto2LpsHhBehAI3uOMa%2F0EZAXBOsFpoMY%2F4gKZzD19INxr7gSdiBCwV3n78RSx72IwxJWT%2FrQFLc5LqYrfyhYZwA3RbXE0Rg7%2Ba%2BaCBYWZfO6Gf%2BJo7bMuxJ2KdvUp7KrHJsakVx8NR02FFuAwR9sksywzOJDU0EA36q48S%2Ffwge1CpYC0auKTyw3EFA4fQdko", "https://vtbehaviour.commondatastorage.googleapis.com/7568b78ad94202cc4e547c84d56faccb2a9033394945a2abdd1e7defe1b23221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424847&Signature=W%2FpZoFBjX%2F6dqAOlg3u1Cr97bQWQ5vr5g8vo3MlqlHoQB2fgvDONRPJ9HyV3Y%2Fj3bm%2FptwemAyKKhjIjfQu1%2BpjTODHdlc7%2B%2B7CQ9HFpIhSzlPv%2BFz041BPyB4A3V1ai5cjuLZB%2FO1hgwEtS3zskowTaVI7ee6LCl6DfqDdq%2FO8RBndMZ9%2BQdoDiH0Gn3DBe3MHzxR9qkEXls3ok5PqQz2faoqkRtmJp7mflsROL", "https://vtbehaviour.commondatastorage.googleapis.com/7310a1ce46f4c4280e18403044cc3fa3dcbcac3646313096d2e8da082d654951_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424873&Signature=UnLgHEfZz0S4bAc6cvQERC43J5aqbCUMvclTqtNQnkkUqr9x%2FGo0pkzzwsOlTksbn0qypBlpybA9XNQXcuQZlbt3MJrTrbNVqIWdAw22G589Fet6989gCoAmRKEX8dYX1C3%2FBPY4JErzHWREsqzA3aefjsOBRlQ2bEHFnmaaIgCwNcAp79YhAOITJ%2Bhc1FCaMl1hFlkeQ3tgSd%2BJauHkHpGHtktntEv90Mx9p614FUG2ybNPNrz%2B" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 365, "FileHash-SHA1": 113, "FileHash-SHA256": 302, "IPv4": 324, "URL": 261, "domain": 214, "hostname": 464 }, "indicator_count": 2043, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fde1b366253c296281156", "name": "Research part 2 * CAPE Sandbox", "description": "[sample of malware: PCBioUnlock-Setup-x64, for MS Windows, has been found on a server in the Czech Republic and is being investigated by the UK's National Security Agency].", "modified": "2026-05-22T04:39:55.100000", "created": "2026-05-22T04:39:55.100000", "tags": [ "new roman", "hebrew", "arabic", "vietnamese", "greek", "baltic", "times new", "roman", "calibri", "light", "default", "strong", "cname", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "accept", "shutdown", "guard", "pe file", "windows", "sample", "reads", "performs dns", "network info", "processes extra", "pe32", "intel", "delphi", "code", "persistence", "malicious", "next", "member", "p11778505315", "p2404", "host", "library", "thrown", "class", "null", "example", "loop", "syst", "none rticon", "address virtual", "sha1", "locale", "download" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/528935b574adacd37fb70a08c57e923187a88f0048edf13955c17b4ac9b6254f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424576&Signature=HqCaWUtXVqO0qP7OW%2FasttQekub43IxOpVwuNpnAqqHt5pD2k3CeW8D0ZuOjDsOkw4LBA4QQbqNJ8uF0UmEbac%2BHKOyP%2FCf%2B08D7aM0iFPanIPuqxCoSiRjjD1C759Ig9GSDC64CKskQd91puLrezrVudARsxDdIPAJCyAwGDb6Y3L7HlOj5cCucn6k6hA6AetITD1fiTojQEV%2BX9%2B9Wp0Qxeje2jmCgoPHcO2fWBMKX7UXSmC", "https://vtbehaviour.commondatastorage.googleapis.com/53bc6ed33565fe532d0ab10f9fafd2a18de06f9af32276627523a042a5205976_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424635&Signature=d4%2F4WzkSDNNN7zJVhJx9Csbghc4NumQIzYVmFLhdk983TTEjbNgBJJMGjkeXRWH1WR1mZnFiQQ7Mgo1L3lMAyghZch23i36rYC7Da3ktAuDVWv8dZ1P%2B%2FKBPfkOwkRmp9jF96vpOsqtTUoktlD4F%2Bu%2FSt6dwBXDN7ZBz%2F2Aau%2B0QQ4m11sl9wLFOuu1xCjfQKL%2FWdqAda78SKAgiFEx5VZhvpCqaQBEkgpvyGqqtOC8Rni", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424692&Signature=A3e%2FNdGFEcoJrC50Cl1QJdp4vyuRXzYj3rP9Iwn%2F50jQamoXpWTto2LpsHhBehAI3uOMa%2F0EZAXBOsFpoMY%2F4gKZzD19INxr7gSdiBCwV3n78RSx72IwxJWT%2FrQFLc5LqYrfyhYZwA3RbXE0Rg7%2Ba%2BaCBYWZfO6Gf%2BJo7bMuxJ2KdvUp7KrHJsakVx8NR02FFuAwR9sksywzOJDU0EA36q48S%2Ffwge1CpYC0auKTyw3EFA4fQdko", "https://vtbehaviour.commondatastorage.googleapis.com/7568b78ad94202cc4e547c84d56faccb2a9033394945a2abdd1e7defe1b23221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424847&Signature=W%2FpZoFBjX%2F6dqAOlg3u1Cr97bQWQ5vr5g8vo3MlqlHoQB2fgvDONRPJ9HyV3Y%2Fj3bm%2FptwemAyKKhjIjfQu1%2BpjTODHdlc7%2B%2B7CQ9HFpIhSzlPv%2BFz041BPyB4A3V1ai5cjuLZB%2FO1hgwEtS3zskowTaVI7ee6LCl6DfqDdq%2FO8RBndMZ9%2BQdoDiH0Gn3DBe3MHzxR9qkEXls3ok5PqQz2faoqkRtmJp7mflsROL", "https://vtbehaviour.commondatastorage.googleapis.com/7310a1ce46f4c4280e18403044cc3fa3dcbcac3646313096d2e8da082d654951_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424873&Signature=UnLgHEfZz0S4bAc6cvQERC43J5aqbCUMvclTqtNQnkkUqr9x%2FGo0pkzzwsOlTksbn0qypBlpybA9XNQXcuQZlbt3MJrTrbNVqIWdAw22G589Fet6989gCoAmRKEX8dYX1C3%2FBPY4JErzHWREsqzA3aefjsOBRlQ2bEHFnmaaIgCwNcAp79YhAOITJ%2Bhc1FCaMl1hFlkeQ3tgSd%2BJauHkHpGHtktntEv90Mx9p614FUG2ybNPNrz%2B" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 365, "FileHash-SHA1": 113, "FileHash-SHA256": 302, "IPv4": 324, "URL": 261, "domain": 214, "hostname": 464 }, "indicator_count": 2043, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd8fcf280068179ca6d174", "name": "Over 1 Million Comm. Files. 158 referring malic tagged.", "description": "0befb3ee094b270c981816a69da00a000572f38d71772578cd7e2001d, as part of a series of events.\nacroipm2.adobe.[com]\nadobe.[com]", "modified": "2026-05-08T07:59:04.198000", "created": "2026-05-08T07:25:03.312000", "tags": [ "win32 dll", "win32 exe", "com laude", "readermessages", "microsoft", "ltd dba", "nomiq", "network capture", "text", "gzip", "first", "thumbprint", "code", "email", "san jose", "server", "registrar abuse", "admin country", "expiration date", "registry domain", "registrar iana", "date", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "cname", "aaaa", "ttl value", "key identifier", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g3", "tls ecc", "sha384", "ca1 validity", "info", "domain", "expiry date", "united", "update date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 159, "FileHash-SHA256": 546, "IPv4": 314, "URL": 164, "domain": 52, "hostname": 210, "email": 6, "IPv6": 2, "CIDR": 6 }, "indicator_count": 1604, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd77791314336d2ce3b694", "name": "CAPE Sandbox - Async Rat dating Sept 8, 2024", "description": "RAT, 2024. > Ttb chain shows the link to 2018-2019 domain control from Iran Root, Us hosted backdoor.", "modified": "2026-05-08T05:53:30.965000", "created": "2026-05-08T05:41:13.128000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "FileHash-MD5": 107, "FileHash-SHA1": 116, "FileHash-SHA256": 393, "URL": 204, "domain": 155, "hostname": 220, "CVE": 1 }, "indicator_count": 1262, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd777910676e8bf0b845ee", "name": "CAPE Sandbox - Async Rat dating Sept 8, 2024", "description": "RAT, 2024. > Ttb chain shows the link to 2018-2019 domain control from Iran Root, Us hosted backdoor.", "modified": "2026-05-08T05:53:29.869000", "created": "2026-05-08T05:41:13.718000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "FileHash-MD5": 107, "FileHash-SHA1": 116, "FileHash-SHA256": 393, "URL": 205, "domain": 155, "hostname": 220, "CVE": 1 }, "indicator_count": 1263, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd777a9e7f4113aeb6b47c", "name": "CAPE Sandbox - Async Rat dating Sept 8, 2024", "description": "RAT, 2024. > Ttb chain shows the link to 2018-2019 domain control from Iran Root, Us hosted backdoor.", "modified": "2026-05-08T05:53:29.152000", "created": "2026-05-08T05:41:14.795000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "FileHash-MD5": 107, "FileHash-SHA1": 116, "FileHash-SHA256": 393, "URL": 205, "domain": 155, "hostname": 220, "CVE": 1 }, "indicator_count": 1263, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd777b0f4e9133dee0511f", "name": "CAPE Sandbox - Async Rat dating Sept 8, 2024", "description": "RAT, 2024. > Ttb chain shows the link to 2018-2019 domain control from Iran Root, Us hosted backdoor.", "modified": "2026-05-08T05:53:28.276000", "created": "2026-05-08T05:41:15.674000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "FileHash-MD5": 107, "FileHash-SHA1": 116, "FileHash-SHA256": 393, "URL": 205, "domain": 155, "hostname": 220, "CVE": 1 }, "indicator_count": 1263, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b5e32dee4d743737f99e72", "name": "CAPE Sandbox - Magika PEBIN Visual C++ EXE Win64", "description": "b3d4da64cbe049829e09ed7c24278551\nSHA-1\n34dbf480ffed8beb3e3e3d8d25ab38578463df07\nSHA-256\n8acca91ad54ccc1f1f16daa5b4217962a20359d12fe5da17d4ca9d72dcba79ef\nVhash\n0150665665655d1561z13z1004216z27z30500213z19z\nAuthentihash\ne5e7ec746b31d7b472f1fbbf4262d5749a15ab90e77374fb0c7e7d9fdfb31786\nImphash\n7182b1ea6f92adbf459a2c65d8d4dd9e\nSSDEEP\n3072:0V3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPOx8:Zt5hBPi0BW69hd1MMdxPe9N9uA069TBN\nTLSH\nT14EC32756B2E01198EBF581F6D5920746EB7074321B15A3DB6B7863B31B2B8C58F3D3A0\nFile type\nWin32 EXE \nexecutable\nwindows\nwin32\npe\npeexe\nMagic\nPE32+ executable (GUI) x86-64, for MS Windows\nTrID\nMicrosoft Visual C++ compiled executable (generic) (41.1%) Win64 Executable (generic) (26.1%) Win16 NE executable (generic) (12.5%) Windows Icons Library (generic) (5.1%) OS/2 Executable (generic) (5%)\nDetectItEasy\nPE64 Compiler: PureBasic (4.X-6.X) Linker: Polink (2.50*) [GUI64]\nMagika\nPEBIN\nFile size\n120.50 KB (123392 bytes)", "modified": "2026-04-13T22:20:52.578000", "created": "2026-03-14T22:37:33.748000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "hostname": 194, "URL": 25, "domain": 4 }, "indicator_count": 229, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "47 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c8c74dd728963b54491100", "name": "Creates Skynet Files ?", "description": "I\u2019ve been investigating a victims iPhone , after performing a test a text came through with a a message with Donald Trump pointy and the phone #associated with blanks to fill in. Message: \nWELCOME TO THE GOLDEN AGE OF AMERICA!\n \nPresident Trump launched this number to stay directly connected with YOU, THE AMERICAN PEOPLE. We'll share important updates and ways you can get involved.\n \nAMERICA IS BACK! LET'S GET TO WORK!\n \nClick this link now and fill out the form so we can see your messages. (#45470)", "modified": "2025-10-16T01:04:49.255000", "created": "2025-09-16T02:11:25.219000", "tags": [ "united", "unknown aaaa", "passive dns", "urls", "search", "record value", "certificate", "hostname add", "present may", "present apr", "present jul", "present aug", "present sep", "present jun", "name servers", "title", "encrypt", "ipv4", "url analysis", "files", "location united", "america flag", "domain name", "moved", "domain", "cookie", "ipv4 add", "a domains", "hostname", "hash avast", "avg clamav", "msdefender may", "process32nextw", "read c", "medium", "module load", "t1129", "ms windows", "intel", "spynet", "write", "delphi", "win32", "observer", "script urls", "ip address", "modern asset", "date", "port", "destination", "pe export", "ordinal name", "address", "t pain", "domains", "script domains", "download", "meta", "appstorio", "apple app", "store", "gmt max", "age72000 path", "unknown cname", "domain add", "gmt content", "next associated", "trojan", "worm", "te hash", "avast avg", "accept ch", "unknown ns", "unknown soa", "x pcrew", "canada unknown", "mtb may", "observed dns", "query", "json", "delete", "delete c", "virtool", "defender", "malware", "next", "suspicious", "x cache", "cryptobit", "title error", "reverse dns", "dynamicloader", "xadxb3x1d", "xd7xacx87xd7xba", "x92r", "hxa6cxafxdexdaz", "x81xbcxa0", "x8fvx7fxc1px87f", "xaerx93lx88txc5", "xfex04o", "xf0ux0fxee", "tofsee", "grum", "stream", "powershell", "win64", "skynet" ], "references": [ "in.community.com", "RansomWin32Betisrypt CodeOverlap RansomWin32Nobig CodeOverlap", "TrojanDownloaderWin64Carberp CodeOverlap", "cdn.wallets.cryptobit.live \u2022 kryptonite.cryptobit.live \u2022 https://cryptobit" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Backdoor:Win32/Berbew", "display_name": "Backdoor:Win32/Berbew", "target": "/malware/Backdoor:Win32/Berbew" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 815, "domain": 411, "URL": 1874, "FileHash-MD5": 112, "FileHash-SHA1": 63, "email": 7, "FileHash-SHA256": 309, "SSLCertFingerprint": 5 }, "indicator_count": 3596, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "in.community.com", "TrojanDownloaderWin64Carberp CodeOverlap", "RansomWin32Betisrypt CodeOverlap RansomWin32Nobig CodeOverlap", "cdn.wallets.cryptobit.live \u2022 kryptonite.cryptobit.live \u2022 https://cryptobit", "https://vtbehaviour.commondatastorage.googleapis.com/7310a1ce46f4c4280e18403044cc3fa3dcbcac3646313096d2e8da082d654951_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424873&Signature=UnLgHEfZz0S4bAc6cvQERC43J5aqbCUMvclTqtNQnkkUqr9x%2FGo0pkzzwsOlTksbn0qypBlpybA9XNQXcuQZlbt3MJrTrbNVqIWdAw22G589Fet6989gCoAmRKEX8dYX1C3%2FBPY4JErzHWREsqzA3aefjsOBRlQ2bEHFnmaaIgCwNcAp79YhAOITJ%2Bhc1FCaMl1hFlkeQ3tgSd%2BJauHkHpGHtktntEv90Mx9p614FUG2ybNPNrz%2B", "https://vtbehaviour.commondatastorage.googleapis.com/7568b78ad94202cc4e547c84d56faccb2a9033394945a2abdd1e7defe1b23221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424847&Signature=W%2FpZoFBjX%2F6dqAOlg3u1Cr97bQWQ5vr5g8vo3MlqlHoQB2fgvDONRPJ9HyV3Y%2Fj3bm%2FptwemAyKKhjIjfQu1%2BpjTODHdlc7%2B%2B7CQ9HFpIhSzlPv%2BFz041BPyB4A3V1ai5cjuLZB%2FO1hgwEtS3zskowTaVI7ee6LCl6DfqDdq%2FO8RBndMZ9%2BQdoDiH0Gn3DBe3MHzxR9qkEXls3ok5PqQz2faoqkRtmJp7mflsROL", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424692&Signature=A3e%2FNdGFEcoJrC50Cl1QJdp4vyuRXzYj3rP9Iwn%2F50jQamoXpWTto2LpsHhBehAI3uOMa%2F0EZAXBOsFpoMY%2F4gKZzD19INxr7gSdiBCwV3n78RSx72IwxJWT%2FrQFLc5LqYrfyhYZwA3RbXE0Rg7%2Ba%2BaCBYWZfO6Gf%2BJo7bMuxJ2KdvUp7KrHJsakVx8NR02FFuAwR9sksywzOJDU0EA36q48S%2Ffwge1CpYC0auKTyw3EFA4fQdko", "https://vtbehaviour.commondatastorage.googleapis.com/528935b574adacd37fb70a08c57e923187a88f0048edf13955c17b4ac9b6254f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424576&Signature=HqCaWUtXVqO0qP7OW%2FasttQekub43IxOpVwuNpnAqqHt5pD2k3CeW8D0ZuOjDsOkw4LBA4QQbqNJ8uF0UmEbac%2BHKOyP%2FCf%2B08D7aM0iFPanIPuqxCoSiRjjD1C759Ig9GSDC64CKskQd91puLrezrVudARsxDdIPAJCyAwGDb6Y3L7HlOj5cCucn6k6hA6AetITD1fiTojQEV%2BX9%2B9Wp0Qxeje2jmCgoPHcO2fWBMKX7UXSmC", "https://vtbehaviour.commondatastorage.googleapis.com/53bc6ed33565fe532d0ab10f9fafd2a18de06f9af32276627523a042a5205976_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424635&Signature=d4%2F4WzkSDNNN7zJVhJx9Csbghc4NumQIzYVmFLhdk983TTEjbNgBJJMGjkeXRWH1WR1mZnFiQQ7Mgo1L3lMAyghZch23i36rYC7Da3ktAuDVWv8dZ1P%2B%2FKBPfkOwkRmp9jF96vpOsqtTUoktlD4F%2Bu%2FSt6dwBXDN7ZBz%2F2Aau%2B0QQ4m11sl9wLFOuu1xCjfQKL%2FWdqAda78SKAgiFEx5VZhvpCqaQBEkgpvyGqqtOC8Rni" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Backdoor:win32/berbew", "Worm:win32/mofksys.rnd!mtb", "Skynet", "Virtool", "Win.trojan", "Tofsee" ], "industries": [ "Telecommunications", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6a0fde205095bd98f11dcd2e", "name": "Research part 2 * CAPE Sandbox", "description": "[sample of malware: PCBioUnlock-Setup-x64, for MS Windows, has been found on a server in the Czech Republic and is being investigated by the UK's National Security Agency].", "modified": "2026-05-22T04:40:00.363000", "created": "2026-05-22T04:40:00.363000", "tags": [ "new roman", "hebrew", "arabic", "vietnamese", "greek", "baltic", "times new", "roman", "calibri", "light", "default", "strong", "cname", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "accept", "shutdown", "guard", "pe file", "windows", "sample", "reads", "performs dns", "network info", "processes extra", "pe32", "intel", "delphi", "code", "persistence", "malicious", "next", "member", "p11778505315", "p2404", "host", "library", "thrown", "class", "null", "example", "loop", "syst", "none rticon", "address virtual", "sha1", "locale", "download" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/528935b574adacd37fb70a08c57e923187a88f0048edf13955c17b4ac9b6254f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424576&Signature=HqCaWUtXVqO0qP7OW%2FasttQekub43IxOpVwuNpnAqqHt5pD2k3CeW8D0ZuOjDsOkw4LBA4QQbqNJ8uF0UmEbac%2BHKOyP%2FCf%2B08D7aM0iFPanIPuqxCoSiRjjD1C759Ig9GSDC64CKskQd91puLrezrVudARsxDdIPAJCyAwGDb6Y3L7HlOj5cCucn6k6hA6AetITD1fiTojQEV%2BX9%2B9Wp0Qxeje2jmCgoPHcO2fWBMKX7UXSmC", "https://vtbehaviour.commondatastorage.googleapis.com/53bc6ed33565fe532d0ab10f9fafd2a18de06f9af32276627523a042a5205976_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424635&Signature=d4%2F4WzkSDNNN7zJVhJx9Csbghc4NumQIzYVmFLhdk983TTEjbNgBJJMGjkeXRWH1WR1mZnFiQQ7Mgo1L3lMAyghZch23i36rYC7Da3ktAuDVWv8dZ1P%2B%2FKBPfkOwkRmp9jF96vpOsqtTUoktlD4F%2Bu%2FSt6dwBXDN7ZBz%2F2Aau%2B0QQ4m11sl9wLFOuu1xCjfQKL%2FWdqAda78SKAgiFEx5VZhvpCqaQBEkgpvyGqqtOC8Rni", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424692&Signature=A3e%2FNdGFEcoJrC50Cl1QJdp4vyuRXzYj3rP9Iwn%2F50jQamoXpWTto2LpsHhBehAI3uOMa%2F0EZAXBOsFpoMY%2F4gKZzD19INxr7gSdiBCwV3n78RSx72IwxJWT%2FrQFLc5LqYrfyhYZwA3RbXE0Rg7%2Ba%2BaCBYWZfO6Gf%2BJo7bMuxJ2KdvUp7KrHJsakVx8NR02FFuAwR9sksywzOJDU0EA36q48S%2Ffwge1CpYC0auKTyw3EFA4fQdko", "https://vtbehaviour.commondatastorage.googleapis.com/7568b78ad94202cc4e547c84d56faccb2a9033394945a2abdd1e7defe1b23221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424847&Signature=W%2FpZoFBjX%2F6dqAOlg3u1Cr97bQWQ5vr5g8vo3MlqlHoQB2fgvDONRPJ9HyV3Y%2Fj3bm%2FptwemAyKKhjIjfQu1%2BpjTODHdlc7%2B%2B7CQ9HFpIhSzlPv%2BFz041BPyB4A3V1ai5cjuLZB%2FO1hgwEtS3zskowTaVI7ee6LCl6DfqDdq%2FO8RBndMZ9%2BQdoDiH0Gn3DBe3MHzxR9qkEXls3ok5PqQz2faoqkRtmJp7mflsROL", "https://vtbehaviour.commondatastorage.googleapis.com/7310a1ce46f4c4280e18403044cc3fa3dcbcac3646313096d2e8da082d654951_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424873&Signature=UnLgHEfZz0S4bAc6cvQERC43J5aqbCUMvclTqtNQnkkUqr9x%2FGo0pkzzwsOlTksbn0qypBlpybA9XNQXcuQZlbt3MJrTrbNVqIWdAw22G589Fet6989gCoAmRKEX8dYX1C3%2FBPY4JErzHWREsqzA3aefjsOBRlQ2bEHFnmaaIgCwNcAp79YhAOITJ%2Bhc1FCaMl1hFlkeQ3tgSd%2BJauHkHpGHtktntEv90Mx9p614FUG2ybNPNrz%2B" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 365, "FileHash-SHA1": 113, "FileHash-SHA256": 302, "IPv4": 324, "URL": 261, "domain": 214, "hostname": 464 }, "indicator_count": 2043, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fde1e9d38578f83f2f07a", "name": "Research part 2 * CAPE Sandbox", "description": "[sample of malware: PCBioUnlock-Setup-x64, for MS Windows, has been found on a server in the Czech Republic and is being investigated by the UK's National Security Agency].", "modified": "2026-05-22T04:39:58.097000", "created": "2026-05-22T04:39:58.097000", "tags": [ "new roman", "hebrew", "arabic", "vietnamese", "greek", "baltic", "times new", "roman", "calibri", "light", "default", "strong", "cname", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "accept", "shutdown", "guard", "pe file", "windows", "sample", "reads", "performs dns", "network info", "processes extra", "pe32", "intel", "delphi", "code", "persistence", "malicious", "next", "member", "p11778505315", "p2404", "host", "library", "thrown", "class", "null", "example", "loop", "syst", "none rticon", "address virtual", "sha1", "locale", "download" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/528935b574adacd37fb70a08c57e923187a88f0048edf13955c17b4ac9b6254f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424576&Signature=HqCaWUtXVqO0qP7OW%2FasttQekub43IxOpVwuNpnAqqHt5pD2k3CeW8D0ZuOjDsOkw4LBA4QQbqNJ8uF0UmEbac%2BHKOyP%2FCf%2B08D7aM0iFPanIPuqxCoSiRjjD1C759Ig9GSDC64CKskQd91puLrezrVudARsxDdIPAJCyAwGDb6Y3L7HlOj5cCucn6k6hA6AetITD1fiTojQEV%2BX9%2B9Wp0Qxeje2jmCgoPHcO2fWBMKX7UXSmC", "https://vtbehaviour.commondatastorage.googleapis.com/53bc6ed33565fe532d0ab10f9fafd2a18de06f9af32276627523a042a5205976_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424635&Signature=d4%2F4WzkSDNNN7zJVhJx9Csbghc4NumQIzYVmFLhdk983TTEjbNgBJJMGjkeXRWH1WR1mZnFiQQ7Mgo1L3lMAyghZch23i36rYC7Da3ktAuDVWv8dZ1P%2B%2FKBPfkOwkRmp9jF96vpOsqtTUoktlD4F%2Bu%2FSt6dwBXDN7ZBz%2F2Aau%2B0QQ4m11sl9wLFOuu1xCjfQKL%2FWdqAda78SKAgiFEx5VZhvpCqaQBEkgpvyGqqtOC8Rni", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424692&Signature=A3e%2FNdGFEcoJrC50Cl1QJdp4vyuRXzYj3rP9Iwn%2F50jQamoXpWTto2LpsHhBehAI3uOMa%2F0EZAXBOsFpoMY%2F4gKZzD19INxr7gSdiBCwV3n78RSx72IwxJWT%2FrQFLc5LqYrfyhYZwA3RbXE0Rg7%2Ba%2BaCBYWZfO6Gf%2BJo7bMuxJ2KdvUp7KrHJsakVx8NR02FFuAwR9sksywzOJDU0EA36q48S%2Ffwge1CpYC0auKTyw3EFA4fQdko", "https://vtbehaviour.commondatastorage.googleapis.com/7568b78ad94202cc4e547c84d56faccb2a9033394945a2abdd1e7defe1b23221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424847&Signature=W%2FpZoFBjX%2F6dqAOlg3u1Cr97bQWQ5vr5g8vo3MlqlHoQB2fgvDONRPJ9HyV3Y%2Fj3bm%2FptwemAyKKhjIjfQu1%2BpjTODHdlc7%2B%2B7CQ9HFpIhSzlPv%2BFz041BPyB4A3V1ai5cjuLZB%2FO1hgwEtS3zskowTaVI7ee6LCl6DfqDdq%2FO8RBndMZ9%2BQdoDiH0Gn3DBe3MHzxR9qkEXls3ok5PqQz2faoqkRtmJp7mflsROL", "https://vtbehaviour.commondatastorage.googleapis.com/7310a1ce46f4c4280e18403044cc3fa3dcbcac3646313096d2e8da082d654951_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424873&Signature=UnLgHEfZz0S4bAc6cvQERC43J5aqbCUMvclTqtNQnkkUqr9x%2FGo0pkzzwsOlTksbn0qypBlpybA9XNQXcuQZlbt3MJrTrbNVqIWdAw22G589Fet6989gCoAmRKEX8dYX1C3%2FBPY4JErzHWREsqzA3aefjsOBRlQ2bEHFnmaaIgCwNcAp79YhAOITJ%2Bhc1FCaMl1hFlkeQ3tgSd%2BJauHkHpGHtktntEv90Mx9p614FUG2ybNPNrz%2B" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 365, "FileHash-SHA1": 113, "FileHash-SHA256": 302, "IPv4": 324, "URL": 261, "domain": 214, "hostname": 464 }, "indicator_count": 2043, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fde1b366253c296281156", "name": "Research part 2 * CAPE Sandbox", "description": "[sample of malware: PCBioUnlock-Setup-x64, for MS Windows, has been found on a server in the Czech Republic and is being investigated by the UK's National Security Agency].", "modified": "2026-05-22T04:39:55.100000", "created": "2026-05-22T04:39:55.100000", "tags": [ "new roman", "hebrew", "arabic", "vietnamese", "greek", "baltic", "times new", "roman", "calibri", "light", "default", "strong", "cname", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "accept", "shutdown", "guard", "pe file", "windows", "sample", "reads", "performs dns", "network info", "processes extra", "pe32", "intel", "delphi", "code", "persistence", "malicious", "next", "member", "p11778505315", "p2404", "host", "library", "thrown", "class", "null", "example", "loop", "syst", "none rticon", "address virtual", "sha1", "locale", "download" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/528935b574adacd37fb70a08c57e923187a88f0048edf13955c17b4ac9b6254f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424576&Signature=HqCaWUtXVqO0qP7OW%2FasttQekub43IxOpVwuNpnAqqHt5pD2k3CeW8D0ZuOjDsOkw4LBA4QQbqNJ8uF0UmEbac%2BHKOyP%2FCf%2B08D7aM0iFPanIPuqxCoSiRjjD1C759Ig9GSDC64CKskQd91puLrezrVudARsxDdIPAJCyAwGDb6Y3L7HlOj5cCucn6k6hA6AetITD1fiTojQEV%2BX9%2B9Wp0Qxeje2jmCgoPHcO2fWBMKX7UXSmC", "https://vtbehaviour.commondatastorage.googleapis.com/53bc6ed33565fe532d0ab10f9fafd2a18de06f9af32276627523a042a5205976_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424635&Signature=d4%2F4WzkSDNNN7zJVhJx9Csbghc4NumQIzYVmFLhdk983TTEjbNgBJJMGjkeXRWH1WR1mZnFiQQ7Mgo1L3lMAyghZch23i36rYC7Da3ktAuDVWv8dZ1P%2B%2FKBPfkOwkRmp9jF96vpOsqtTUoktlD4F%2Bu%2FSt6dwBXDN7ZBz%2F2Aau%2B0QQ4m11sl9wLFOuu1xCjfQKL%2FWdqAda78SKAgiFEx5VZhvpCqaQBEkgpvyGqqtOC8Rni", "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424692&Signature=A3e%2FNdGFEcoJrC50Cl1QJdp4vyuRXzYj3rP9Iwn%2F50jQamoXpWTto2LpsHhBehAI3uOMa%2F0EZAXBOsFpoMY%2F4gKZzD19INxr7gSdiBCwV3n78RSx72IwxJWT%2FrQFLc5LqYrfyhYZwA3RbXE0Rg7%2Ba%2BaCBYWZfO6Gf%2BJo7bMuxJ2KdvUp7KrHJsakVx8NR02FFuAwR9sksywzOJDU0EA36q48S%2Ffwge1CpYC0auKTyw3EFA4fQdko", "https://vtbehaviour.commondatastorage.googleapis.com/7568b78ad94202cc4e547c84d56faccb2a9033394945a2abdd1e7defe1b23221_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424847&Signature=W%2FpZoFBjX%2F6dqAOlg3u1Cr97bQWQ5vr5g8vo3MlqlHoQB2fgvDONRPJ9HyV3Y%2Fj3bm%2FptwemAyKKhjIjfQu1%2BpjTODHdlc7%2B%2B7CQ9HFpIhSzlPv%2BFz041BPyB4A3V1ai5cjuLZB%2FO1hgwEtS3zskowTaVI7ee6LCl6DfqDdq%2FO8RBndMZ9%2BQdoDiH0Gn3DBe3MHzxR9qkEXls3ok5PqQz2faoqkRtmJp7mflsROL", "https://vtbehaviour.commondatastorage.googleapis.com/7310a1ce46f4c4280e18403044cc3fa3dcbcac3646313096d2e8da082d654951_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779424873&Signature=UnLgHEfZz0S4bAc6cvQERC43J5aqbCUMvclTqtNQnkkUqr9x%2FGo0pkzzwsOlTksbn0qypBlpybA9XNQXcuQZlbt3MJrTrbNVqIWdAw22G589Fet6989gCoAmRKEX8dYX1C3%2FBPY4JErzHWREsqzA3aefjsOBRlQ2bEHFnmaaIgCwNcAp79YhAOITJ%2Bhc1FCaMl1hFlkeQ3tgSd%2BJauHkHpGHtktntEv90Mx9p614FUG2ybNPNrz%2B" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 365, "FileHash-SHA1": 113, "FileHash-SHA256": 302, "IPv4": 324, "URL": 261, "domain": 214, "hostname": 464 }, "indicator_count": 2043, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd8fcf280068179ca6d174", "name": "Over 1 Million Comm. Files. 158 referring malic tagged.", "description": "0befb3ee094b270c981816a69da00a000572f38d71772578cd7e2001d, as part of a series of events.\nacroipm2.adobe.[com]\nadobe.[com]", "modified": "2026-05-08T07:59:04.198000", "created": "2026-05-08T07:25:03.312000", "tags": [ "win32 dll", "win32 exe", "com laude", "readermessages", "microsoft", "ltd dba", "nomiq", "network capture", "text", "gzip", "first", "thumbprint", "code", "email", "san jose", "server", "registrar abuse", "admin country", "expiration date", "registry domain", "registrar iana", "date", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "cname", "aaaa", "ttl value", "key identifier", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g3", "tls ecc", "sha384", "ca1 validity", "info", "domain", "expiry date", "united", "update date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 159, "FileHash-SHA256": 546, "IPv4": 314, "URL": 164, "domain": 52, "hostname": 210, "email": 6, "IPv6": 2, "CIDR": 6 }, "indicator_count": 1604, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd77791314336d2ce3b694", "name": "CAPE Sandbox - Async Rat dating Sept 8, 2024", "description": "RAT, 2024. > Ttb chain shows the link to 2018-2019 domain control from Iran Root, Us hosted backdoor.", "modified": "2026-05-08T05:53:30.965000", "created": "2026-05-08T05:41:13.128000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "FileHash-MD5": 107, "FileHash-SHA1": 116, "FileHash-SHA256": 393, "URL": 204, "domain": 155, "hostname": 220, "CVE": 1 }, "indicator_count": 1262, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd777910676e8bf0b845ee", "name": "CAPE Sandbox - Async Rat dating Sept 8, 2024", "description": "RAT, 2024. > Ttb chain shows the link to 2018-2019 domain control from Iran Root, Us hosted backdoor.", "modified": "2026-05-08T05:53:29.869000", "created": "2026-05-08T05:41:13.718000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "FileHash-MD5": 107, "FileHash-SHA1": 116, "FileHash-SHA256": 393, "URL": 205, "domain": 155, "hostname": 220, "CVE": 1 }, "indicator_count": 1263, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd777a9e7f4113aeb6b47c", "name": "CAPE Sandbox - Async Rat dating Sept 8, 2024", "description": "RAT, 2024. > Ttb chain shows the link to 2018-2019 domain control from Iran Root, Us hosted backdoor.", "modified": "2026-05-08T05:53:29.152000", "created": "2026-05-08T05:41:14.795000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "FileHash-MD5": 107, "FileHash-SHA1": 116, "FileHash-SHA256": 393, "URL": 205, "domain": 155, "hostname": 220, "CVE": 1 }, "indicator_count": 1263, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd777b0f4e9133dee0511f", "name": "CAPE Sandbox - Async Rat dating Sept 8, 2024", "description": "RAT, 2024. > Ttb chain shows the link to 2018-2019 domain control from Iran Root, Us hosted backdoor.", "modified": "2026-05-08T05:53:28.276000", "created": "2026-05-08T05:41:15.674000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "FileHash-MD5": 107, "FileHash-SHA1": 116, "FileHash-SHA256": 393, "URL": 205, "domain": 155, "hostname": 220, "CVE": 1 }, "indicator_count": 1263, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b5e32dee4d743737f99e72", "name": "CAPE Sandbox - Magika PEBIN Visual C++ EXE Win64", "description": "b3d4da64cbe049829e09ed7c24278551\nSHA-1\n34dbf480ffed8beb3e3e3d8d25ab38578463df07\nSHA-256\n8acca91ad54ccc1f1f16daa5b4217962a20359d12fe5da17d4ca9d72dcba79ef\nVhash\n0150665665655d1561z13z1004216z27z30500213z19z\nAuthentihash\ne5e7ec746b31d7b472f1fbbf4262d5749a15ab90e77374fb0c7e7d9fdfb31786\nImphash\n7182b1ea6f92adbf459a2c65d8d4dd9e\nSSDEEP\n3072:0V3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPOx8:Zt5hBPi0BW69hd1MMdxPe9N9uA069TBN\nTLSH\nT14EC32756B2E01198EBF581F6D5920746EB7074321B15A3DB6B7863B31B2B8C58F3D3A0\nFile type\nWin32 EXE \nexecutable\nwindows\nwin32\npe\npeexe\nMagic\nPE32+ executable (GUI) x86-64, for MS Windows\nTrID\nMicrosoft Visual C++ compiled executable (generic) (41.1%) Win64 Executable (generic) (26.1%) Win16 NE executable (generic) (12.5%) Windows Icons Library (generic) (5.1%) OS/2 Executable (generic) (5%)\nDetectItEasy\nPE64 Compiler: PureBasic (4.X-6.X) Linker: Polink (2.50*) [GUI64]\nMagika\nPEBIN\nFile size\n120.50 KB (123392 bytes)", "modified": "2026-04-13T22:20:52.578000", "created": "2026-03-14T22:37:33.748000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "hostname": 194, "URL": 25, "domain": 4 }, "indicator_count": 229, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "47 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c8c74dd728963b54491100", "name": "Creates Skynet Files ?", "description": "I\u2019ve been investigating a victims iPhone , after performing a test a text came through with a a message with Donald Trump pointy and the phone #associated with blanks to fill in. Message: \nWELCOME TO THE GOLDEN AGE OF AMERICA!\n \nPresident Trump launched this number to stay directly connected with YOU, THE AMERICAN PEOPLE. We'll share important updates and ways you can get involved.\n \nAMERICA IS BACK! LET'S GET TO WORK!\n \nClick this link now and fill out the form so we can see your messages. (#45470)", "modified": "2025-10-16T01:04:49.255000", "created": "2025-09-16T02:11:25.219000", "tags": [ "united", "unknown aaaa", "passive dns", "urls", "search", "record value", "certificate", "hostname add", "present may", "present apr", "present jul", "present aug", "present sep", "present jun", "name servers", "title", "encrypt", "ipv4", "url analysis", "files", "location united", "america flag", "domain name", "moved", "domain", "cookie", "ipv4 add", "a domains", "hostname", "hash avast", "avg clamav", "msdefender may", "process32nextw", "read c", "medium", "module load", "t1129", "ms windows", "intel", "spynet", "write", "delphi", "win32", "observer", "script urls", "ip address", "modern asset", "date", "port", "destination", "pe export", "ordinal name", "address", "t pain", "domains", "script domains", "download", "meta", "appstorio", "apple app", "store", "gmt max", "age72000 path", "unknown cname", "domain add", "gmt content", "next associated", "trojan", "worm", "te hash", "avast avg", "accept ch", "unknown ns", "unknown soa", "x pcrew", "canada unknown", "mtb may", "observed dns", "query", "json", "delete", "delete c", "virtool", "defender", "malware", "next", "suspicious", "x cache", "cryptobit", "title error", "reverse dns", "dynamicloader", "xadxb3x1d", "xd7xacx87xd7xba", "x92r", "hxa6cxafxdexdaz", "x81xbcxa0", "x8fvx7fxc1px87f", "xaerx93lx88txc5", "xfex04o", "xf0ux0fxee", "tofsee", "grum", "stream", "powershell", "win64", "skynet" ], "references": [ "in.community.com", "RansomWin32Betisrypt CodeOverlap RansomWin32Nobig CodeOverlap", "TrojanDownloaderWin64Carberp CodeOverlap", "cdn.wallets.cryptobit.live \u2022 kryptonite.cryptobit.live \u2022 https://cryptobit" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Backdoor:Win32/Berbew", "display_name": "Backdoor:Win32/Berbew", "target": "/malware/Backdoor:Win32/Berbew" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 815, "domain": 411, "URL": 1874, "FileHash-MD5": 112, "FileHash-SHA1": 63, "email": 7, "FileHash-SHA256": 309, "SSLCertFingerprint": 5 }, "indicator_count": 3596, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "timeout.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "timeout.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780223718.2697725 }