{ "Event": { "analysis": "1", "date": "2026-03-02", "extends_uuid": "", "info": "[Threat Intel] Fake Tech Support Delivers Havoc Command & Control", "protected": false, "publish_timestamp": "1773274384", "published": true, "threat_level_id": "3", "timestamp": "1773274384", "uuid": "4cf1b9fe-c996-4253-9922-7ef7e5928982", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#8f20d0", "local": false, "name": "misp-galaxy:producer=\"Huntress\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#f28fb8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"OS Credential Dumping - T1003\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#041edc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMB/Windows Admin Shares - T1021.002\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#8ee4ab", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Deployment Tools - T1072\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#fdd85e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Access Token Manipulation - T1134\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#3970d7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#fae37b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"", "relationship_type": "" }, { "colour": "#cb2c9b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dynamic-link Library Injection - T1055.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Havoc\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"BlackBasta\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"FIN7\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766030", "to_ids": false, "type": "link", "uuid": "59d885e5-f1d6-4317-8336-2ca97fcaeb72", "value": "https://www.huntress.com/blog/fake-tech-support-havoc-command-control" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1772766030", "to_ids": false, "type": "text", "uuid": "0e8d430d-362e-4105-bde3-a7bc9bfdc814", "value": "A sophisticated cyber attack campaign combines social engineering and advanced malware techniques. Attackers pose as IT support to gain initial access, then deploy a modified version of the Havoc C2 framework. The malware uses DLL sideloading, indirect syscalls, and custom loaders to evade detection. After compromising the initial system, the attackers rapidly move laterally, establishing persistence through scheduled tasks and legitimate remote monitoring tools. The campaign demonstrates a blend of human-centric initial access methods and advanced technical evasion techniques, highlighting the need for comprehensive security measures spanning user awareness and technical controls." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1772766030", "to_ids": false, "type": "text", "uuid": "aa10fae0-5fba-429a-b6aa-fce76b296b54", "value": "Name: Fake Tech Support Delivers Havoc Command & Control\nAuthor: AlienVault\nAdversary: \nTags: [\"havoc demon\", \"havoc\", \"social engineering\", \"havoc c2\", \"syscalls\", \"dll sideloading\", \"remote monitoring tools\", \"evasion techniques\", \"lateral movement\"]\nTgtd countries: []\nMlwr families: [\"Havoc\", \"Havoc Demon\"]\nAttack_ids: [\"T1053.005\", \"T1003\", \"T1082\", \"T1106\", \"T1055\", \"T1021.002\", \"T1016\", \"T1083\", \"T1057\", \"T1072\", \"T1078\", \"T1027\", \"T1012\", \"T1059.003\", \"T1134\", \"T1071.001\", \"T1018\", \"T1574.002\", \"T1021.001\", \"T1569.002\", \"T1055.001\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:07/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772825066", "to_ids": true, "type": "sha256", "uuid": "7ca58c36-bda2-4dd3-a3b1-685a72a240e5", "value": "0dce1175dc50d20da0fc009d0eed30fb75a004389fca0fbe0abe9835631d745c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:07/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772825068", "to_ids": true, "type": "sha256", "uuid": "34cfdd4d-1c8a-4980-a54b-d062e10048bf", "value": "1175b1c56d59b736fe25495674ee3f83848e7785fde8ba9e207d283fed9b36c7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:07/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772825070", "to_ids": true, "type": "sha256", "uuid": "88c07070-e531-4178-9edb-f00bff68f1bf", "value": "59014e97287b5602bba192a04535c59c60c6eb3a9770a94293551dfd5390c5c2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:07/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772825071", "to_ids": true, "type": "sha256", "uuid": "98514678-9b51-4b60-ade7-7bad8e66de43", "value": "6fbd98bbdb8a34dd563f29f45c66adf5c53b1aff225269af3ceb56d76ecd677d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:07/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772825073", "to_ids": true, "type": "sha256", "uuid": "b81c78bc-72bf-441c-b80f-e2ab63bbb5fd", "value": "96c3b7ec47ca5ffaac5da1fda25b1ad1afa91e57e1586165deec1e541f3def2e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:07/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772825075", "to_ids": true, "type": "sha256", "uuid": "95eca0db-f065-4163-aa16-d577431f55da", "value": "b1ccee3d0dc7a85c117580cc08b8edcb8118b5612669300d4b006f50663b387e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:07/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772825077", "to_ids": true, "type": "sha256", "uuid": "df5ade1c-c945-41b5-91fa-8d39872382ea", "value": "d96d8b01d034ca1b9b232c70d57a863320cc107e07245ef7308cbdb069031e61", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773269965", "to_ids": true, "type": "domain", "uuid": "be0645b1-0ab9-467a-a259-0d6d642a67c8", "value": "afzarkara.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773269988", "to_ids": true, "type": "domain", "uuid": "a8d0561f-fa04-4f23-acee-d26154ed338d", "value": "agricularly.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773270009", "to_ids": true, "type": "domain", "uuid": "a32cb7f3-3ec6-4a9e-9ecd-b062e461f146", "value": "alatastro.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773270030", "to_ids": true, "type": "domain", "uuid": "a4935e3c-f23d-4db6-bf4e-45394fb00d8a", "value": "arcupondepago.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773270051", "to_ids": true, "type": "domain", "uuid": "b5e97b66-ce5b-423c-84c2-10d57a67faa0", "value": "bongsebing.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773270072", "to_ids": true, "type": "domain", "uuid": "39e14535-5b41-43fe-bd39-c3cabcb90193", "value": "egravy.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773270093", "uuid": "f9897686-c972-4109-8962-81fa2fedac45", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773270093", "to_ids": true, "type": "md5", "uuid": "dbe24c00-06c3-45d7-bbae-f31bcd51fdb8", "value": "3e6cd9a31719d1cce2083299c8f44ae1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772825058", "to_ids": true, "type": "sha1", "uuid": "51d9c224-d3c5-42ef-8825-2cc5f90849eb", "value": "b69078cb5a44132271dabd01e1cb77606e399884", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772825058", "to_ids": true, "type": "sha256", "uuid": "9602cdd6-0f59-4597-ac18-ad754e2862cc", "value": "64ec615c046a59c08f0ddf3fe9f93e0c9e1bed227d980628cc09600e94adcd25", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772824557", "to_ids": true, "type": "ssdeep", "uuid": "5f7f52db-d38a-4209-90a7-18b09503f174", "value": "12288:YPW+xVs2/hH6bDb2rqBoGwTeN7+Bh70PzyiyBHsLS+NU0VVI:cf42/Z6bDb2rmoGwTeMwUBHsX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772824557", "to_ids": false, "type": "size-in-bytes", "uuid": "86376111-2a4d-46eb-8299-8bd6a7b22f54", "value": "942520" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772824557", "to_ids": true, "type": "vhash", "uuid": "cedf01eb-170d-42df-a030-181d6fa1dcb3", "value": "195076651d555d151552e3z12z913z21z5071zb7z3dz9e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772824557", "to_ids": true, "type": "filename", "uuid": "dd958289-d859-4bd0-b0c2-ad2b43d20ca7", "value": "mpclient.dll" }, { "category": "Other", "comment": "Checked: 07/03/2026\nLast-scan\t: 06/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772824557", "to_ids": false, "type": "text", "uuid": "21600ac7-e4ec-4602-9abb-9edcf458c676", "value": "Type Description: Win32 DLL\nFile distributed by: ['Microsoft']\nData sources: ['Microsoft Corporation', 'HashDB', 'National Software Reference Library (NSRL)', 'monitor_hashdb_microsoft']\nVerdict filename: ['MpClient.dll-64ec615c046a59c08f0ddf3fe9f93e0c9e1bed227d980628cc09600e94adcd25', '[part(1)FileId(30648)Name(MpClient.dll)]', '[part(1)FileId(30960)Name(MpClient.dll)]', 'MpClient_12.dll', 'MpClient.dll', '[part(1)FileId(29998)Name(MpClient.dll)]', '[part(1)FileId(28985)Name(MpClient.dll)]', '[part(1)FileId(30966)Name(MpClient.dll)]', '[part(1)FileId(27979)Name(MpClient.dll)]', '[part(1)FileId(28679)Name(MpClient.dll)]', 'amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7_mpclient.dll_0a78b638', '[part(1)FileId(28986)Name(MpClient.dll)]']\nMicrosoft: None\nVT Total Detection:0/72\nFirst Submission:2019-09-26T22:55:13.000000+00:00\nLast Submission:2026-02-16T01:46:00.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773270114", "uuid": "72130bb8-29c8-4deb-9fca-b81578b2acb7", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773270114", "to_ids": true, "type": "md5", "uuid": "9990817a-2384-4ce5-bead-e0f1428f76ac", "value": "5fa6833acffe1bb54d43ef61c28a2742", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772825059", "to_ids": true, "type": "sha1", "uuid": "bc219967-7cd7-4032-a46f-c7a0ed5c6399", "value": "d634a90b37454b320c890c8a867b0598f3213aeb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772825060", "to_ids": true, "type": "sha256", "uuid": "e3cd0e8e-a4cb-491f-8d16-ab8c23661904", "value": "388c53e8ff438f0cf101fe0322ad8f32bae140ff85da9b71b0fa366a76097408", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772824590", "to_ids": true, "type": "ssdeep", "uuid": "c745c31f-1c50-496c-822a-c3df49ccca30", "value": "3072:zcgDqtoyvhxpJCIl0FWtPmvdEFHA5QriCAS79IwnEggybhYOf5DvXYu9XGyc21p/:zcIdyvhx90ItPDtv9Nauh39WE7" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772824590", "to_ids": false, "type": "size-in-bytes", "uuid": "3a4c3160-2a50-4812-94b5-8f72c780bda5", "value": "278352" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772824590", "to_ids": true, "type": "vhash", "uuid": "523b3907-1071-434a-a955-0a5b21a721f7", "value": "025076655d151d05651018z483z5hz8fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772824590", "to_ids": true, "type": "filename", "uuid": "fe123ce7-97dc-469b-a9f5-00f06869ef4e", "value": "DlpUserAgent.exe" }, { "category": "Other", "comment": "Checked: 07/03/2026\nLast-scan\t: 06/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772824590", "to_ids": false, "type": "text", "uuid": "2628fbb0-0ab9-44b6-bfbf-436813023c41", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/72\nFirst Submission:2025-12-16T00:29:49.000000+00:00\nLast Submission:2026-03-04T03:45:27.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773270136", "uuid": "6076de3d-98fc-4cf2-898b-974af4babd6e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773270136", "to_ids": true, "type": "md5", "uuid": "5d9ae74f-38e1-46e9-a7fc-9c99e3cfb85c", "value": "851760a3cc87354e057985e42e69f425", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772825062", "to_ids": true, "type": "sha1", "uuid": "d08aaa9b-df76-435b-b270-2636622a8224", "value": "9ad109ef885e5a07c59c010ca006cfcd06a00f30", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772825062", "to_ids": true, "type": "sha256", "uuid": "8cb43fa8-177a-4209-ac35-b44a3cc8b5dc", "value": "e30b3f4979b63b50438d061858c9cde962f4494e585c627a11c98b6c5b7b2592", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772824614", "to_ids": true, "type": "ssdeep", "uuid": "acb7075b-1d5d-46a0-8beb-55637814a7bd", "value": "768:/J1E6sCUocm8zuAMFAz3SPZMsJGJ+x9z1Vjk6bK9z6:/UjU+KesgJuzU6az6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772824614", "to_ids": false, "type": "size-in-bytes", "uuid": "6a06d1f7-16a5-4ce5-8b7f-f644915ef7cf", "value": "49792" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772824614", "to_ids": true, "type": "vhash", "uuid": "b666dce6-c01a-4410-bf08-10024297f43f", "value": "144066651d1515151az1b?z3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772824614", "to_ids": true, "type": "filename", "uuid": "f79383db-f871-40ff-bc27-5003c037b725", "value": "vcruntime140_1.dll" }, { "category": "Other", "comment": "Checked: 07/03/2026\nLast-scan\t: 06/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772824614", "to_ids": false, "type": "text", "uuid": "3c8107b9-a63b-440a-9e18-bcdb187a5c18", "value": "Type Description: Win32 DLL\nFile distributed by: ['Microsoft']\nData sources: ['Microsoft Corporation']\nVerdict filename: ['(c2rdat-1652)', '(c2rdat-1650)', '(c2rdat-1685)', 'vcruntime140_1.dll_amd64.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3', '(c2rdat-1655)', '(c2rdat-1664)', '(c2rdat-1653)', '(c2rdat-1693)', '(c2rdat-1695)', '(c2rdat-1651)']\nMicrosoft: None\nVT Total Detection:0/71\nFirst Submission:2025-04-22T10:08:01.000000+00:00\nLast Submission:2026-03-05T21:30:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773270157", "uuid": "71f1b675-2427-48b5-8fee-549550850431", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773270157", "to_ids": true, "type": "md5", "uuid": "08cb4404-b148-4cfa-85e7-5897064bcc3a", "value": "b1cf4f72786b22482508935a7b26f599", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772825065", "to_ids": true, "type": "sha1", "uuid": "20766cba-fb31-4bf8-a552-437d83e78852", "value": "d78ee86d53354286961ea84053a01963492e154b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772825065", "to_ids": true, "type": "sha256", "uuid": "74096f94-dab4-44a1-89e9-41082f113bfa", "value": "c10e144c25c1bac0692ed0b31dd626ab9195c5285b82430371a4ecdbd6d7f3fd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772824639", "to_ids": true, "type": "ssdeep", "uuid": "e851b1dd-06e2-47bb-aa4f-658b3439efdf", "value": "6144:ri3gNORllgL8TbcheGBCgfj+AszjFprdUfpip7oyfSqSF8:rlgeL8TbchLn8jma7rfk8" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772824639", "to_ids": false, "type": "size-in-bytes", "uuid": "d0c11eac-0faa-4f81-b5c4-093d5edaff62", "value": "558552" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772824639", "to_ids": true, "type": "vhash", "uuid": "043f6e6a-6ca6-4395-bfbd-8ac1fe549bb2", "value": "055066551d1555155178z48z6055z41z1126z245z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772824639", "to_ids": true, "type": "filename", "uuid": "4a799ac1-23df-4cd3-8134-f6ec4c0a6686", "value": "ADNotificationManager.exe" }, { "category": "Other", "comment": "Checked: 07/03/2026\nLast-scan\t: 06/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772824639", "to_ids": false, "type": "text", "uuid": "8d76a220-3c6c-444c-a652-78bbd69e092a", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/71\nFirst Submission:2026-01-20T14:30:19.000000+00:00\nLast Submission:2026-03-05T21:06:01.000000+00:00" } ] } ] } }