{ "Event": { "analysis": "1", "date": "2026-03-19", "extends_uuid": "", "info": "[Threat Intel] EDR killers explained: Beyond the drivers", "protected": false, "publish_timestamp": "1775245822", "published": true, "threat_level_id": "3", "timestamp": "1775245822", "uuid": "9a7c14f4-12a3-425c-a5c5-32081d4f27bc", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#8675c7", "local": false, "name": "misp-galaxy:producer=\"ESET\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#b2a633", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Stop - T1489\"", "relationship_type": "" }, { "colour": "#5c57c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#461928", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Blocking - T1562.006\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#f798db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal from Tools - T1027.005\"", "relationship_type": "" }, { "colour": "#6d779a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Privilege Escalation - T1068\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#14b0bf", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Logon Script (Windows) - T1037.001\"", "relationship_type": "" }, { "colour": "#fae37b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003f", "local": false, "name": "rectifyq:sub-category=\"tool-profile\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Embedded Payloads - T1027.009\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Safe Mode Boot - T1562.009\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774004427", "to_ids": false, "type": "link", "uuid": "7060aa52-99d9-44d2-8634-290d755a87fd", "value": "https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774004427", "to_ids": false, "type": "text", "uuid": "29db812a-34b3-4455-8ec5-c80eb1ecfbcc", "value": "This analysis explores the ecosystem of EDR (Endpoint Detection and Response) killers, tools used by ransomware attackers to disrupt security solutions before deploying encryptors. The research, based on almost 90 EDR killers tracked in the wild, reveals that these tools are fundamental in modern ransomware operations. Affiliates, not operators, typically choose EDR killers, leading to greater tooling diversity in larger affiliate pools. The same vulnerable driver can appear in unrelated tools, and tools can switch between drivers, making driver-based attribution unreliable. The landscape includes forked proofs of concept, professional implementations, and commercial offerings. While Bring Your Own Vulnerable Driver (BYOVD) technique dominates, custom scripts, anti-rootkits, and driverless approaches are also utilized. The analysis emphasizes the importance of looking beyond drivers to understand the full scope of EDR killer ecosystem and its implications for cybersecurity." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774004427", "to_ids": false, "type": "text", "uuid": "0850a6f0-d867-4eb4-bb7e-dcbd6f0049f4", "value": "Name: EDR killers explained: Beyond the drivers\nAuthor: AlienVault\nAdversary: \nTags: [\"ghostdriver\", \"byovd\", \"vulnerable drivers\", \"tfsysmon-killer\", \"threat intelligence\", \"cardspacekiller\", \"smilingkiller\", \"dlkiller\", \"malware\", \"defense evasion\", \"cybersecurity\", \"edr killers\", \"edrkillshifter\", \"ransomware\", \"abysskiller\", \"edr-freeze\", \"sevexkiller\", \"susanoo\", \"dead-av\", \"hexkiller\", \"demokiller\", \"ms4killer\", \"abyssworker\", \"edrsilencer\"]\nTgtd countries: []\nMlwr families: [\"ABYSSWORKER\", \"AbyssKiller\", \"EDRSilencer\", \"EDR-Freeze\", \"EDRKillShifter\", \"DLKiller\", \"Susanoo\", \"HexKiller\", \"SevexKiller\", \"TfSysMon-Killer\", \"dead-av\", \"GhostDriver\", \"SmilingKiller\", \"DemoKiller\", \"CardSpaceKiller\", \"MS4Killer\"]\nAttack_ids: [\"T1489\", \"T1543.003\", \"T1140\", \"T1562.006\", \"T1562.001\", \"T1027.005\", \"T1068\", \"T1027\", \"T1059.003\", \"T1070.004\", \"T1027.002\", \"T1037.001\", \"T1569.002\", \"T1490\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "EDRSilencer EDR killer. No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237412", "to_ids": true, "type": "sha1", "uuid": "f73f6095-8d7c-42a4-b63c-a8eceed08428", "value": "002573d80091f7f8167bcbda3a402b85fa915f19", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "EDR-Freeze EDR killer. No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237413", "to_ids": true, "type": "sha1", "uuid": "15fd04ea-48cb-4ad1-b50e-5c744a670022", "value": "1e7567c0d525ad037fbbbafb643bf40541994411", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "EDRKillShifter EDR killer. No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237414", "to_ids": true, "type": "sha1", "uuid": "5f362c4f-719d-47b8-85ff-199dfd562f8d", "value": "65c2388b0afb1d1f1860bb887456d8d6cd8b5645", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "HexKiller EDR killer. No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237415", "to_ids": true, "type": "sha1", "uuid": "82955232-75c1-4468-8005-2d17fa681eef", "value": "570161a420992280a8eced253edc800296b72d1c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "TfSysMon-Killer EDR killer. No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237416", "to_ids": true, "type": "sha1", "uuid": "1feebdc3-915c-4a78-9cd6-b1fa52bb7e6b", "value": "31ce76931ca09d3918b34e3187703bc72e6d647e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "dead-av EDR killer. No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237417", "to_ids": true, "type": "sha1", "uuid": "3f20babb-326c-4588-9b75-db3349125ed4", "value": "b9820bf443c375577ceef44b9491e3a569a1b9e8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GhostDriver EDR killer. No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237418", "to_ids": true, "type": "sha1", "uuid": "4bb4cb2f-9f85-45af-b806-84c8dfa3bc5c", "value": "34270b07538b7357cf10d0d5bda68f234b602f93", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SmilingKiller EDR killer. No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237419", "to_ids": true, "type": "sha1", "uuid": "5294086c-f7c1-4de7-b681-c03df9316448", "value": "09735640d6634b0303755a9fd3b2bc80f932126c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DemoKiller EDR killer. No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237419", "to_ids": true, "type": "sha1", "uuid": "043932b1-08f7-40bc-b061-9537322728be", "value": "711c95fead2215e9ac59e32e6e3b0d71ad5c5aa5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CardSpaceKiller EDR killer. No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237421", "to_ids": true, "type": "sha1", "uuid": "9640aa84-a776-462a-afbb-0490c9d32eeb", "value": "4a57083122710d51f247367afd813a740ac180a1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239045", "uuid": "fdf63896-5c82-42e8-abe9-f369f23ad8c4", "Attribute": [ { "category": "Payload delivery", "comment": "AbyssKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239045", "to_ids": true, "type": "md5", "uuid": "50859b52-a3e0-4bec-bee6-1e57cf2c8242", "value": "03af2bf85923ce0fda7c20f8f82839c9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "AbyssKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237386", "to_ids": true, "type": "sha1", "uuid": "08262054-5b11-4132-9546-d92e89d15ee4", "value": "54547180a99474b0dba289d92c4a8f3eea78b531", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "AbyssKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237386", "to_ids": true, "type": "sha256", "uuid": "2e61a49a-84fa-471d-b900-e06469745f82", "value": "df6cb5199c272c491b3a7ac44df6c4c279d23f7c09daed758c831b26732a4851", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235321", "to_ids": true, "type": "ssdeep", "uuid": "5db40a83-cf99-4ab3-8c66-31627652f77b", "value": "98304:qEGWluyYDaL1ChSVTYSwT+bmaxE2IYd8qC5:qnpeIuY3Tdam2PC5" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235321", "to_ids": false, "type": "size-in-bytes", "uuid": "1fc21a0b-56e7-4b26-a970-8fc0d59e6093", "value": "3703808" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235321", "to_ids": true, "type": "vhash", "uuid": "ad1f6cbe-6529-484b-a0c0-cf99be06b4b9", "value": "036086665d1c0d5c05157032402005200257zc035z43z403dz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235321", "to_ids": true, "type": "filename", "uuid": "4081de6b-3c54-44fd-8e6b-81a969bf3fb7", "value": "df6cb5199c272c491b3a7ac44df6c4c279d23f7c09daed758c831b26732a4851.exe" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235321", "to_ids": false, "type": "text", "uuid": "999b3a4e-bca1-4a4d-b30b-350e26657dc4", "value": "AbyssKiller EDR killer.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/MedusaLocker.WZV!MTB\nVT Total Detection:56/71\nFirst Submission:2025-01-23T23:01:58.000000+00:00\nLast Submission:2025-01-23T23:01:58.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239067", "uuid": "e3ebc6aa-2f51-4910-981d-40e68bfcd1e3", "Attribute": [ { "category": "Payload delivery", "comment": "The ABYSSWORKER rootkit.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239067", "to_ids": true, "type": "md5", "uuid": "74c57094-314d-45ba-9cf3-036e78814a18", "value": "9e82ee5bde6b5d29281a3c280e6d1f2e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "The ABYSSWORKER rootkit.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237387", "to_ids": true, "type": "sha1", "uuid": "520e2ff0-9326-4962-a813-4815cfd166a4", "value": "75f85caea52fe5a124fa77e2934abd3161690add", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "The ABYSSWORKER rootkit.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237387", "to_ids": true, "type": "sha256", "uuid": "074dedf1-6d3b-441f-bb71-5b1aa789dbec", "value": "b7703a59c39a0d2f7ef6422945aaeaaf061431af0533557246397551b8eed505", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235343", "to_ids": true, "type": "ssdeep", "uuid": "6d7cde6b-b7b8-4d3e-a422-2c91ed771c0b", "value": "24576:vqGC/yC0kW3/XARynJph+IOXo95wivzh9uBA5J4rcNkM0MGN5lsTPbKJPa:vqWC+3o4IQait9u0VG5sHK1a" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235343", "to_ids": false, "type": "size-in-bytes", "uuid": "7d198d86-6b15-4c50-90fd-03dc5c717548", "value": "1689160" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235343", "to_ids": true, "type": "vhash", "uuid": "59ecc79e-bd43-491f-93c7-1a19031e4ea5", "value": "016086551d151655151f79z16z62xz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235343", "to_ids": true, "type": "filename", "uuid": "71b82e7b-be55-4792-a1e8-f0324cc3a57f", "value": "CSAgent.sys" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 28/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235343", "to_ids": false, "type": "text", "uuid": "20b26d11-e511-4888-8978-ce7aedc233d1", "value": "The ABYSSWORKER rootkit.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/AVTamper.H\nVT Total Detection:55/71\nFirst Submission:2025-01-27T18:21:01.000000+00:00\nLast Submission:2025-01-27T18:21:01.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239088", "uuid": "fea9fa00-2f80-4b5f-bdd7-6d1470bf238a", "Attribute": [ { "category": "Payload delivery", "comment": "DLKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239088", "to_ids": true, "type": "md5", "uuid": "27b04ced-7abd-4088-9c8e-16d287da5a18", "value": "d5b6a6a6e49d8b4ad03399347f8b7c4f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DLKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237388", "to_ids": true, "type": "sha1", "uuid": "79b50adc-511c-4e03-b691-6d747b6b5e01", "value": "a9f37104d2d89051f34e1486bc6ebff44d147e67", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DLKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237388", "to_ids": true, "type": "sha256", "uuid": "80a72e51-41ef-4ffd-84b9-4f2d1227f59d", "value": "2d89fb7455ff3ebf6b965d8b1113857607f7fbda4c752ccb591dbc1dc14ba0da", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235428", "to_ids": true, "type": "ssdeep", "uuid": "01444c58-046b-4377-8427-9f04bc448fe3", "value": "1536:YqkUZOOBJv5i5IqGkk4Y+O/RtXIVX6U8nrgC:Y3UZjvGIq7Y+OnXIFxIrV" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235428", "to_ids": false, "type": "size-in-bytes", "uuid": "4252c519-7f33-415f-bf9e-c22689e19113", "value": "60928" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235428", "to_ids": true, "type": "vhash", "uuid": "a2d15b41-76c5-4ffe-ac68-bbc373f5f6a7", "value": "064046655d155048z30171z3@z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235428", "to_ids": true, "type": "filename", "uuid": "a444377d-dca7-4d5f-a573-de68f385386f", "value": "EDRGay.exe" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 30/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235428", "to_ids": false, "type": "text", "uuid": "b33dcf70-1d0d-4881-b5e5-b11e4bc910ef", "value": "DLKiller EDR killer.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Alevaul!rfn\nVT Total Detection:41/71\nFirst Submission:2025-07-09T13:42:02.000000+00:00\nLast Submission:2025-10-23T15:40:40.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239109", "uuid": "b63c3d65-2185-4f7d-b641-5d5825cd0b69", "Attribute": [ { "category": "Payload delivery", "comment": "Susanoo EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239109", "to_ids": true, "type": "md5", "uuid": "6a6a14a5-fc9d-4472-94d1-8f0fd5fc1f73", "value": "f9580d01f9ea52ebc4f936f0b965bc1d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Susanoo EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237389", "to_ids": true, "type": "sha1", "uuid": "04d4c7d8-8eeb-49cd-9ef6-9a006fffb14f", "value": "083f604377d74c4377822ef35021e34ad7daceea", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Susanoo EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237389", "to_ids": true, "type": "sha256", "uuid": "871b6d4e-5270-4cdf-bca1-32b423245402", "value": "e75d06b1461b971335076c4839483ea14010e837959595dbb4fe2e1fd0fd85a8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235450", "to_ids": true, "type": "ssdeep", "uuid": "0a516e65-ea32-4b08-a5a5-65f90c4d38b4", "value": "6144:jx4GKRSMPlHjMGJt7c+/t7edgB5EQKEEgREDmSUT/:tkvPpjF1PtSdgB5OExRESH/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235450", "to_ids": false, "type": "size-in-bytes", "uuid": "0a3c9757-56b4-4b4e-92d5-76e9d57104a4", "value": "434176" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235450", "to_ids": true, "type": "vhash", "uuid": "d9c7c187-0f69-48cd-b58f-ca5b07e6a878", "value": "045056656d155550b053z8003d3z21z27z101002ffz" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 30/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235450", "to_ids": false, "type": "text", "uuid": "094a07ee-6102-4b4a-8bba-d3a241223c99", "value": "Susanoo EDR killer.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Seheq!rfn\nVT Total Detection:45/71\nFirst Submission:2025-02-14T15:21:10.000000+00:00\nLast Submission:2025-02-14T15:21:10.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239130", "uuid": "062cefde-4d53-41fe-a1cc-7ec8f057721e", "Attribute": [ { "category": "Payload delivery", "comment": "SevexKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239130", "to_ids": true, "type": "md5", "uuid": "3711ba6d-36a1-4baa-bd9b-7db7155fb5b4", "value": "959a879773754f8a8c437e2e7df944fd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SevexKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237390", "to_ids": true, "type": "sha1", "uuid": "1f969baf-7e94-464d-b904-42cd9c47e493", "value": "bbe0e14bc7ece8a7a1236d5a12e30476cfcef110", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SevexKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237390", "to_ids": true, "type": "sha256", "uuid": "83163716-c951-4e6c-9921-5675d8b41387", "value": "680b8005db5338b5405687fe7dd0ad4dbf1c0fc3f4705930e94416bfa540304d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235493", "to_ids": true, "type": "ssdeep", "uuid": "64a80fbd-3532-42ac-858b-4ac4384b4eeb", "value": "49152:u6uYsF6yYkjKk5vI0iZ4LzLeDu2Oei3/mwnp+m5Q658RoKa:uDI0iZ4LsPwry658pa" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235493", "to_ids": false, "type": "size-in-bytes", "uuid": "86c0d922-c0b7-42f9-987c-501cf2537c35", "value": "5475084" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235493", "to_ids": true, "type": "vhash", "uuid": "212bafb3-9300-4cd2-bd58-bd422bae1594", "value": "0561766d1555551c05151az38?z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235493", "to_ids": true, "type": "filename", "uuid": "c60921e6-caaa-4515-81e2-813927dc7560", "value": "2026-02-17_959a879773754f8a8c437e2e7df944fd_ghostlocker_glassworm_luca-stealer" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 28/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235493", "to_ids": false, "type": "text", "uuid": "0fd7bcde-4f7a-4e42-bb15-c68ad5c6b08f", "value": "SevexKiller EDR killer.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/KillAV.CM!MTB\nVT Total Detection:45/71\nFirst Submission:2026-02-17T10:59:28.000000+00:00\nLast Submission:2026-02-17T17:39:28.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239151", "uuid": "a940c184-bd93-4db6-bb18-800f2863c885", "Attribute": [ { "category": "Payload delivery", "comment": "kill-floor EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239151", "to_ids": true, "type": "md5", "uuid": "8eca1755-da2c-40e1-9c70-360f7fbe865b", "value": "fa8fa492cff3bbb1116e6b78b98642f6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "kill-floor EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237391", "to_ids": true, "type": "sha1", "uuid": "b4b296ef-913a-4e6e-8bc3-43a7ae015813", "value": "85bc0a4f67522d6ac6be64d763e65a2945ec5028", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "kill-floor EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237391", "to_ids": true, "type": "sha256", "uuid": "e0cbae9c-6714-4dd5-93b2-fb571f198285", "value": "b966f5db38edc5aa56d7a1fb2eb79025d27f42997a99950b23f7adfa620f3290", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235599", "to_ids": true, "type": "ssdeep", "uuid": "d525fbc5-6ea0-410a-a4b0-f91f3267f887", "value": "6144:IyO0qgu6k/Z8SNNQbCOD8X3CgmH6Y31lkEa:9O0vO/ZRGbCO4x0lkE" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235599", "to_ids": false, "type": "size-in-bytes", "uuid": "fdf63025-c6ce-4b4e-96e1-9cfb8f993c4b", "value": "390144" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235599", "to_ids": true, "type": "vhash", "uuid": "9f4d6402-6d05-4ff6-a34f-99e5f36c5bd5", "value": "035066655d655d055az58!z" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 30/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235599", "to_ids": false, "type": "text", "uuid": "f4ef00e1-227e-4293-884d-d56de75db8d5", "value": "kill-floor EDR killer.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/RootkitDrv!rfn\nVT Total Detection:48/71\nFirst Submission:2025-02-27T00:43:22.000000+00:00\nLast Submission:2025-02-27T00:43:22.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239172", "uuid": "fd3789ab-cd66-430c-9390-28aa8a756b6f", "Attribute": [ { "category": "Payload delivery", "comment": "DemoKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239172", "to_ids": true, "type": "md5", "uuid": "2906ccbf-e0f1-4ce5-98ff-7b740e0a7767", "value": "427bf30a292c0fb874ccf43621c321d7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DemoKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237392", "to_ids": true, "type": "sha1", "uuid": "0628620c-2ff0-41ad-914f-13344114a796", "value": "bc65ed919988c8e4b8f5a1cd371745456601700a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "DemoKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237392", "to_ids": true, "type": "sha256", "uuid": "851c63af-8b50-499c-ac48-8ad633a1281f", "value": "b0f201128e80b5b79dac41da52691cb5803fb1ae3e9272eb252ece4a5d887485", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235642", "to_ids": true, "type": "ssdeep", "uuid": "f6ca83ae-9422-460c-a20a-cbced4af5954", "value": "1536:LtNV9XAoYvfEWYuWRTgnIVfiMPRcGn/tZlxM5kx6suizkhCO66s6Stwn9ISZJ8zV:LFymBnGbHCXbnECAW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235642", "to_ids": false, "type": "size-in-bytes", "uuid": "cf91e842-8dda-40ef-982a-cfe8096d221b", "value": "56832" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235642", "to_ids": true, "type": "vhash", "uuid": "8b13cde4-6bae-4c41-bfff-0d4641b8e154", "value": "054066655d1515151az1bwz1a5z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235642", "to_ids": true, "type": "filename", "uuid": "abe55910-08f0-4c26-b8da-c40d8d27d86c", "value": "demo.exe" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 30/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235642", "to_ids": false, "type": "text", "uuid": "89e45bff-f525-4622-81dc-60f042e84509", "value": "DemoKiller EDR killer.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Casdet!rfn\nVT Total Detection:41/71\nFirst Submission:2025-05-20T13:35:21.000000+00:00\nLast Submission:2025-05-20T13:35:21.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239193", "uuid": "f6286b3d-c3c0-42a1-a445-c48d5c8e7bf9", "Attribute": [ { "category": "Payload delivery", "comment": "Baidu Antivirus BdApi vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239193", "to_ids": true, "type": "md5", "uuid": "a318f279-0db4-40d4-922d-7ea8c26c5b65", "value": "ced47b89212f3260ebeb41682a4b95ec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Baidu Antivirus BdApi vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237393", "to_ids": true, "type": "sha1", "uuid": "6621c1a3-74f4-47f5-9441-331e9d35275e", "value": "148c0cde4f2ef807aea77d7368f00f4c519f47ef", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Baidu Antivirus BdApi vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237393", "to_ids": true, "type": "sha256", "uuid": "ae148b9d-aed9-480b-a6ba-2dd0f8a6004d", "value": "47ec51b5f0ede1e70bd66f3f0152f9eb536d534565dbb7fcc3a05f542dbe4428", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235663", "to_ids": true, "type": "ssdeep", "uuid": "3e59604c-8b5c-4bb2-834e-a361847eacb7", "value": "768:0MdM/AcPDiFhlPqbgKq0qC9bheG8FHrtjBUQEEt11l11e6O6yKo/Jqq0nGxobqkD:0LShhKYSdgpjNEEaB0BEj+9QvUb4obB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235663", "to_ids": false, "type": "size-in-bytes", "uuid": "985feb64-9798-4ec5-beb8-933b68beeae9", "value": "116800" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235663", "to_ids": true, "type": "vhash", "uuid": "ef35107a-db69-44d7-ae32-508d767085cd", "value": "015086651d15165e55155iz5yz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235663", "to_ids": true, "type": "filename", "uuid": "0d6d24c2-a9de-490f-9668-600f38e9d261", "value": "Baidu Antivirus" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 31/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235663", "to_ids": false, "type": "text", "uuid": "c41e3717-ea2c-4949-b3cb-4be3cdbdd9d0", "value": "Baidu Antivirus BdApi vulnerable driver.\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:9/71\nFirst Submission:2014-09-03T23:56:35.000000+00:00\nLast Submission:2026-03-29T01:26:59.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239215", "uuid": "4e7855df-c7b4-44e5-9765-6d222d694fcb", "Attribute": [ { "category": "Payload delivery", "comment": "K7RKScan Kernel Module vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239215", "to_ids": true, "type": "md5", "uuid": "276077f4-a4c5-4d92-a561-fc0e31333666", "value": "9b04a93e05ccff94667f04bffa7af600", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "K7RKScan Kernel Module vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237394", "to_ids": true, "type": "sha1", "uuid": "4362121f-1c6c-42b4-8fa3-20ed06fd1309", "value": "468121e7d6952799f92940677268937c4c5f92ed", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "K7RKScan Kernel Module vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237394", "to_ids": true, "type": "sha256", "uuid": "5fe10c63-0c3c-48e1-ab63-337d3f321196", "value": "b16e217cdca19e00c1b68bdfb28ead53b20adeabd6edcd91542f9fbf48942877", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235685", "to_ids": true, "type": "ssdeep", "uuid": "9422587d-fc46-4ab7-af49-77166b061b87", "value": "384:coJavQ0S1Q6Q+ih75TsYq15sSiwrBRL5/Zm+DoURR0rJFpIx7XqnYPLQa6jaJIEb:QS19Rih7ZsvgwrHdljGJFpI9XqymS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235685", "to_ids": false, "type": "size-in-bytes", "uuid": "4cb8b7f1-4869-4058-ad98-4de3688a76f4", "value": "27936" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235685", "to_ids": true, "type": "vhash", "uuid": "b8695dd1-19d0-4773-9136-35ebd20e1ecb", "value": "024076651d151e55151iz28xz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235685", "to_ids": true, "type": "filename", "uuid": "a718346f-80f8-4137-a50d-faa0c3cf2b35", "value": "K7RKScan" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 01/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235685", "to_ids": false, "type": "text", "uuid": "3eda527b-7644-46db-941b-e94b9e32c91b", "value": "K7RKScan Kernel Module vulnerable driver.\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:4/71\nFirst Submission:2016-08-04T12:03:58.000000+00:00\nLast Submission:2026-04-01T23:48:23.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239236", "uuid": "05b2471d-cf09-4244-a893-ed6ce9310bd8", "Attribute": [ { "category": "Payload delivery", "comment": "ThreatFire System Monitor vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239236", "to_ids": true, "type": "md5", "uuid": "01d9d4f6-4464-44ad-8810-bf38d1e2889d", "value": "761f2e2b759389a472bd3d94141742b9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ThreatFire System Monitor vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237395", "to_ids": true, "type": "sha1", "uuid": "ebdb5a30-beae-4537-820f-6965368fe67b", "value": "c881f43c7fe94a6f056a84da8e9a32fe56d8dd9c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ThreatFire System Monitor vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237395", "to_ids": true, "type": "sha256", "uuid": "bfebb1f4-acba-45f1-bc3d-d296b0087b5a", "value": "1c1a4ca2cbac9fe5954763a20aeb82da9b10d028824f42fff071503dcbe15856", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235708", "to_ids": true, "type": "ssdeep", "uuid": "b06f46c3-b350-49e0-9182-9d6221ad7cf4", "value": "768:El2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciCwC:QgrFq3OVgUgla/4nqywo4G2E" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235708", "to_ids": false, "type": "size-in-bytes", "uuid": "db19cd23-7f9d-43af-8e9d-b97bb17aed0d", "value": "60416" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235708", "to_ids": true, "type": "vhash", "uuid": "1cbb85d6-136a-46fc-9236-db6268bdf40e", "value": "064076655d151e55151iz62xz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235708", "to_ids": true, "type": "filename", "uuid": "fc95ea58-bd40-4068-b359-2384769016aa", "value": "TfSysMon.sys" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 31/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235708", "to_ids": false, "type": "text", "uuid": "a5ebb6a1-69cc-4ad6-a17f-ed92f14c02b4", "value": "ThreatFire System Monitor vulnerable driver.\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:17/71\nFirst Submission:2014-03-04T23:01:08.000000+00:00\nLast Submission:2026-03-25T11:12:41.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239257", "uuid": "6810fb97-b9f0-4cfc-877e-a175a41e63cc", "Attribute": [ { "category": "Payload delivery", "comment": "Rentdrv2 vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239257", "to_ids": true, "type": "md5", "uuid": "c2e5febc-e0d5-4afa-873c-4e91c560880e", "value": "5fea22f442e7fd34a54008e363446d13", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Rentdrv2 vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237397", "to_ids": true, "type": "sha1", "uuid": "3eaa348a-ba5c-4cab-9980-36af18d6e59b", "value": "67d17ca90880b448d5c3b40f69cec04d3649f170", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Rentdrv2 vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237397", "to_ids": true, "type": "sha256", "uuid": "c45cac5a-7363-4567-a40e-c45f086f9108", "value": "9165d4f3036919a96b86d24b64d75d692802c7513f2b3054b20be40c212240a5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235730", "to_ids": true, "type": "ssdeep", "uuid": "0d72c664-c85b-47e3-b8c4-4a1d32fa05bf", "value": "384:oQQFlifjYsLztg272Kw0HWL3XLI02kUW6TXr0I2juriMh3ay50ZSxR9zusrhwC:H8i7YsHW2aKwCWDlurd3h50Zi9zuQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235730", "to_ids": false, "type": "size-in-bytes", "uuid": "53f6b153-948c-49a1-8cd0-796be8e4897f", "value": "32328" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235730", "to_ids": true, "type": "vhash", "uuid": "790ea3b4-5195-4564-a612-4cd3c854baef", "value": "134056555d051e5iz3bxz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235730", "to_ids": true, "type": "filename", "uuid": "1b335a01-217e-4463-9bc8-94fa5ab434f5", "value": "GhostDriver.sys" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 24/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235730", "to_ids": false, "type": "text", "uuid": "de89c9a4-a343-417c-94d4-1f21db6aa022", "value": "Rentdrv2 vulnerable driver.\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win64/RentDrvSya!MSR\nVT Total Detection:27/72\nFirst Submission:2023-09-01T14:46:43.000000+00:00\nLast Submission:2026-03-09T05:20:23.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239278", "uuid": "2a45971c-563a-4368-b323-243cbd74ef33", "Attribute": [ { "category": "Payload delivery", "comment": "USB-C Power Delivery Firmware Update Utility vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239278", "to_ids": true, "type": "md5", "uuid": "3b4ab56a-e07e-40af-ac4c-71f3e4e0b6fb", "value": "b96d75a000367c200958089728fc5cb8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "USB-C Power Delivery Firmware Update Utility vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237398", "to_ids": true, "type": "sha1", "uuid": "f65fc9ab-67c2-4949-83ff-07a37b4994a5", "value": "f329ae0fdf1e198bea6ba787e59cb73f90714002", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "USB-C Power Delivery Firmware Update Utility vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237398", "to_ids": true, "type": "sha256", "uuid": "521dd363-f728-4d8f-be89-98e44f779376", "value": "6e8b49cf70bf854e8c59c7d27cefa89406caf8978461190dabb86dafcd8554e1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235751", "to_ids": true, "type": "ssdeep", "uuid": "43155865-57ca-4486-9cf0-96cd76ef0c4f", "value": "1536:Qn8/+PtpHLPxNn1szNYeYVxRqx+g1JOE7ubt6INPXWmT6A5+KA:5/yTxNKOesx8xIh6AGLA5I" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235751", "to_ids": false, "type": "size-in-bytes", "uuid": "e275fc7a-b897-4c56-94ec-2b79655a20b5", "value": "80536" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235751", "to_ids": true, "type": "vhash", "uuid": "c73701ff-ae3c-4c81-87b9-751cabc43bf7", "value": "084076551d151615151iz11xz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235751", "to_ids": true, "type": "filename", "uuid": "7ce0e7c8-f61c-4b92-89da-e2be46693cb3", "value": "PDFWKRNL.sys" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235751", "to_ids": false, "type": "text", "uuid": "e76e92c0-73b0-4688-ac7e-3f387f7cdeeb", "value": "USB-C Power Delivery Firmware Update Utility vulnerable driver.\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:1/72\nFirst Submission:2025-05-06T10:29:50.000000+00:00\nLast Submission:2025-05-06T10:29:50.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239300", "uuid": "ce3bcc93-c96f-419d-bbe1-1812dc751a1b", "Attribute": [ { "category": "Payload delivery", "comment": "ThrottleStop vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239300", "to_ids": true, "type": "md5", "uuid": "9b3a7a02-9072-49fd-8bc1-04845649f8fd", "value": "6bc8e3505d9f51368ddf323acb6abc49", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ThrottleStop vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237399", "to_ids": true, "type": "sha1", "uuid": "3777c799-2d23-4a34-b1fe-09920375e886", "value": "82ed942a52cdcf120a8919730e00ba37619661a3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ThrottleStop vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237400", "to_ids": true, "type": "sha256", "uuid": "dd55afa0-466b-4f06-b882-4121f96dbe12", "value": "16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235773", "to_ids": true, "type": "ssdeep", "uuid": "1de499c7-306d-4b04-a8f5-c10124ba70ee", "value": "768:NtYC8ntVFJD/i4iW4cTzmwi28O3zuv2fT8aKgrEfp33bcmKg:N38tVIdQ3bT8aGftL/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235773", "to_ids": false, "type": "size-in-bytes", "uuid": "4bcf7980-a508-4eb4-abe4-87410ea2d330", "value": "50216" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235773", "to_ids": true, "type": "vhash", "uuid": "dda522d1-d00e-4fbc-acc0-8b6a119abaa3", "value": "054086651d151666151519z26z33xz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235773", "to_ids": true, "type": "filename", "uuid": "65ef81b1-2e58-4715-8ed6-51bede133fbc", "value": "ThrottleStop.sys" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235773", "to_ids": false, "type": "text", "uuid": "ff2eeba9-3cad-4e79-8f3c-f0009097dedb", "value": "ThrottleStop vulnerable driver.\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:13/72\nFirst Submission:2020-10-19T10:49:19.000000+00:00\nLast Submission:2026-04-01T15:32:38.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239321", "uuid": "041137f3-28bb-4548-bffd-e7087d2ae722", "Attribute": [ { "category": "Payload delivery", "comment": "Custom rootkit used by CardSpaceKiller.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239321", "to_ids": true, "type": "md5", "uuid": "ac814562-30dc-4f2a-842b-e92031f21a1d", "value": "cf7cad39407d8cd93135be42b6bd258f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Custom rootkit used by CardSpaceKiller.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237400", "to_ids": true, "type": "sha1", "uuid": "82849597-33a8-43fd-a63e-e1b4465b67de", "value": "ce1b9909cef820e5281618a7a0099a27a70643dc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Custom rootkit used by CardSpaceKiller.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237400", "to_ids": true, "type": "sha256", "uuid": "424c0ee1-e7b6-47de-a0be-3e5eb2eb872d", "value": "bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235795", "to_ids": true, "type": "ssdeep", "uuid": "50b2ad5e-f8d6-4b0c-b1aa-43e45461e092", "value": "96:g1GijRwRYg+2XxCKaNgSHWj7H1CT430C0CGTFD:g1ljRwqg+8ggYc71CT430ClGT9" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235795", "to_ids": false, "type": "size-in-bytes", "uuid": "59c33922-98ad-4ac1-95b1-45f157127c99", "value": "9216" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235795", "to_ids": true, "type": "vhash", "uuid": "4180f5ed-09f5-44b6-8719-1cada0f3bfcf", "value": "093066551d1516151iz14xz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235795", "to_ids": true, "type": "filename", "uuid": "e80b4b63-6d35-4e8f-9de5-b017539c28a8", "value": "hlpdrv.sys" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235795", "to_ids": false, "type": "text", "uuid": "699ae92e-0d81-48c8-94bb-642c500d2587", "value": "Custom rootkit used by CardSpaceKiller.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Kepavll!rfn\nVT Total Detection:53/72\nFirst Submission:2025-04-09T11:37:58.000000+00:00\nLast Submission:2026-03-19T06:12:10.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239342", "uuid": "f363c6bc-ce8e-45aa-8ed3-b0943c238bbc", "Attribute": [ { "category": "Payload delivery", "comment": "Avast anti-rootkit vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239342", "to_ids": true, "type": "md5", "uuid": "0c3119f0-a369-4da2-957d-51b34cffc481", "value": "a179c4093d05a3e1ee73f6ff07f994aa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Avast anti-rootkit vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237401", "to_ids": true, "type": "sha1", "uuid": "08691ce3-5449-4ae5-9a1c-4a4d4b7afa17", "value": "5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Avast anti-rootkit vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237402", "to_ids": true, "type": "sha256", "uuid": "acdbb4b4-30ae-4d20-9ca3-5f5b4b49327c", "value": "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235817", "to_ids": true, "type": "ssdeep", "uuid": "a27dc298-4793-4d18-a7ce-93d96b7ab3ed", "value": "3072:xz+NqbN1bKSAyU3+/3lV+V/VbCO2g8OPC3CuXBHmY6Nl6Y31DZkEL:ZZ8SNNQbCOD8X3CgmH6Y31lkEL" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235817", "to_ids": false, "type": "size-in-bytes", "uuid": "b2414387-7695-4de4-9ca6-705efe2e693e", "value": "208024" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235817", "to_ids": true, "type": "vhash", "uuid": "7c67574c-7f2b-4da3-a046-bc013e204247", "value": "025086655d15566655155iza6xz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235817", "to_ids": true, "type": "filename", "uuid": "2cd93efa-5c54-4ac2-8abc-e1d0c58f68af", "value": "aswArPot.sys" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235817", "to_ids": false, "type": "text", "uuid": "93a18c24-9205-4374-be93-3f6aa7f3d8ed", "value": "Avast anti-rootkit vulnerable driver.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/RootkitDrv!MSR\nVT Total Detection:13/71\nFirst Submission:2021-02-05T13:38:11.000000+00:00\nLast Submission:2026-03-19T02:02:08.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239363", "uuid": "e6998556-f989-4078-ab35-9de5c6ba97f3", "Attribute": [ { "category": "Payload delivery", "comment": "ITM SYSTEM File Filter vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239363", "to_ids": true, "type": "md5", "uuid": "2edd1e46-dc28-42a5-9c68-62d8c79ec5d7", "value": "8c8c93a6b6c6d6e632a54877fc1a209e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ITM SYSTEM File Filter vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237403", "to_ids": true, "type": "sha1", "uuid": "46dec9b3-8f4a-4dee-9519-6d9357c1e628", "value": "7310d6399683ba3eb2f695a2071e0e45891d743b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ITM SYSTEM File Filter vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237403", "to_ids": true, "type": "sha256", "uuid": "92a5a206-6eb1-4c7c-b01c-b689aa7cf8b2", "value": "023d722cbbdd04e3db77de7e6e3cfeabcef21ba5b2f04c3f3a33691801dd45eb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235839", "to_ids": true, "type": "ssdeep", "uuid": "205370b0-48d5-4b4d-b194-00febf918550", "value": "384:s33h+malYtzO7zmQ++jiPV+PQ6eg3OOAFN0rA1Ghj8mfFxf3xlSUYJLdSkjGZfdG:yx8YPoj8L6WOqGSfmb3C5Ltiq" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235839", "to_ids": false, "type": "size-in-bytes", "uuid": "dd6dc496-6f2f-49e0-8121-0ee9f9f8cd03", "value": "30864" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235839", "to_ids": true, "type": "vhash", "uuid": "efdbce7a-cfa9-4b14-b37c-bf777e39d9a9", "value": "034076651d151e55151iz23xz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235839", "to_ids": true, "type": "filename", "uuid": "3c07551c-b4f4-495a-8a17-b8801c0c1ac6", "value": "probmon.sys" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 26/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235839", "to_ids": false, "type": "text", "uuid": "8244c993-fab5-47d9-bccc-ed91ed2468f1", "value": "ITM SYSTEM File Filter vulnerable driver.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Alevaul!rfn\nVT Total Detection:18/72\nFirst Submission:2024-01-23T03:41:04.000000+00:00\nLast Submission:2026-03-16T14:07:57.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239384", "uuid": "93734077-f36b-4fc2-8f16-5c073cd793af", "Attribute": [ { "category": "Payload delivery", "comment": "Beijing Rising Network Security vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239384", "to_ids": true, "type": "md5", "uuid": "71053853-eb64-4a08-9cdd-1bb67f0450f9", "value": "054a32d6033b1744dca7f49b2e466ea2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Beijing Rising Network Security vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237404", "to_ids": true, "type": "sha1", "uuid": "d124cb96-fae1-4a5e-bbcf-d2f00a2a0be7", "value": "c85c9a09cd1cb1691da0d96772391be6ddba3555", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Beijing Rising Network Security vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237404", "to_ids": true, "type": "sha256", "uuid": "b382df08-54ea-4a1b-935b-efab5d7ced1a", "value": "ea8c8f834523886b07d87e85e24f124391d69a738814a0f7c31132b6b712ed65", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235862", "to_ids": true, "type": "ssdeep", "uuid": "0b2c32b9-fcdb-49af-9ebb-eb61b698d463", "value": "1536:FpP2fTTiN/98Chua7XsIOZFym1n2GSDBT/rft2EL:3U/E/98O76wKnK1DjsEL" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235862", "to_ids": false, "type": "size-in-bytes", "uuid": "1af030b5-c492-4d59-b65e-5a1428177c21", "value": "84136" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235862", "to_ids": true, "type": "vhash", "uuid": "1a6faaa5-f9fe-4b4b-961b-49a3eb5604d6", "value": "084096651d15150655551iz5yz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235862", "to_ids": true, "type": "filename", "uuid": "d7717999-c3e2-4e05-83ab-c8983621955d", "value": "rspot.sys" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 31/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235862", "to_ids": false, "type": "text", "uuid": "4236ff70-1203-483d-a62c-fde942d933eb", "value": "Beijing Rising Network Security vulnerable driver.\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:4/71\nFirst Submission:2021-11-05T21:25:17.000000+00:00\nLast Submission:2025-10-22T07:35:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239406", "uuid": "c2717773-6010-4b0d-bf98-86ebbd8c4206", "Attribute": [ { "category": "Payload delivery", "comment": "OCular THelper vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239406", "to_ids": true, "type": "md5", "uuid": "b2ead1c7-e148-442e-9708-90caaccd3ddd", "value": "0f5b41e746b09c740e57c0262edbd140", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "OCular THelper vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237405", "to_ids": true, "type": "sha1", "uuid": "f3535a19-bec7-4232-9166-a270e5112759", "value": "6ee94f6bdc4c4ed0fff621fec36c70ff093659ed", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "OCular THelper vulnerable driver.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237405", "to_ids": true, "type": "sha256", "uuid": "bcaad74d-dfdd-4541-9682-467e0ae23cfd", "value": "7e783b0a0ff4710306bb3bca29296cf962ae77abc81245a99f12a9039158226f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235884", "to_ids": true, "type": "ssdeep", "uuid": "536c9a77-e38d-4d88-ba16-3f1baa1d5eb8", "value": "768:J52gj6cW1qgWkPuCROBA9Hf1KCvyxYzrbzqLxaxpxFn2M8EAX8IUkMHwPeEWwBbi:J9FkpZ9VzrbOLx+1jEX7UqE8by+zuvbN" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235884", "to_ids": false, "type": "size-in-bytes", "uuid": "f87d1b0b-9dda-462a-a627-65a2fe37f05f", "value": "69632" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235884", "to_ids": true, "type": "vhash", "uuid": "ae27c8d6-7423-4fc2-8723-320cfd2fff7b", "value": "064076651d151e15151iz36xz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235884", "to_ids": true, "type": "filename", "uuid": "54c7aa4a-3af5-4b10-b6ab-49725c745ca0", "value": "thelper.sys" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235884", "to_ids": false, "type": "text", "uuid": "4cb68db5-9aa8-46bb-83f9-ff9554cea722", "value": "OCular THelper vulnerable driver.\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:4/72\nFirst Submission:2022-11-18T13:57:24.000000+00:00\nLast Submission:2026-03-23T14:13:55.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239428", "uuid": "b243e70c-6b35-447f-b2fb-b82c8edacd1c", "Attribute": [ { "category": "Payload delivery", "comment": "MS4Killer EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239428", "to_ids": true, "type": "md5", "uuid": "d7de04af-4a97-4d9b-89f5-625cf477ad71", "value": "f0ac3999d4020cd051052a0627a2056d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MS4Killer EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237407", "to_ids": true, "type": "sha1", "uuid": "6d48096b-8544-45c5-acd6-3dae547be3de", "value": "ba14c43031411240a0836bedf8c8692b54698e05", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MS4Killer EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237407", "to_ids": true, "type": "sha256", "uuid": "1be511e1-acb4-4ab5-8bfa-94fb988b7ca1", "value": "0d2619844a3ab68ee18c3a4768b10e6b8aea31143023277883b7ff9f7a9e55ca", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235906", "to_ids": true, "type": "ssdeep", "uuid": "3e8e9a1e-05a8-4d3e-a475-aad5a71bce54", "value": "6144:o7f1mx9b/nHczHXhizKMmdZOudN4UFnKzONmHipoD3JxeCx+n36GBdPCxc1OuL:o7f1mx5PHczMOpQ6UCQ28+nqQM" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235906", "to_ids": false, "type": "size-in-bytes", "uuid": "c3232091-15ee-48cf-b5d0-90096c5cff6c", "value": "456704" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235906", "to_ids": true, "type": "vhash", "uuid": "03b8c67d-c9fa-4c4f-964f-2aef455686d1", "value": "045066656d15551550f8z793za3z3023z1lz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235906", "to_ids": true, "type": "filename", "uuid": "6ffda195-1abf-4d60-8602-5155628859af", "value": "pp.exe" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 26/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235906", "to_ids": false, "type": "text", "uuid": "9703b729-e9f9-49da-a522-72b679b09a79", "value": "MS4Killer EDR killer.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Seheq!rfn\nVT Total Detection:50/72\nFirst Submission:2024-08-12T02:40:31.000000+00:00\nLast Submission:2024-08-12T02:40:31.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239450", "uuid": "56dd969d-fc2f-4e63-8181-bde28229d68a", "Attribute": [ { "category": "Payload delivery", "comment": "CardSpaceKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239450", "to_ids": true, "type": "md5", "uuid": "91da47ad-515e-44b1-92de-9ac8b5b55732", "value": "54de95cc33834a2f877ba4842860af27", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CardSpaceKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237408", "to_ids": true, "type": "sha1", "uuid": "95ed12f2-f378-425b-8df1-5921771ac0ec", "value": "127b50c8185986a52ae66bf6e7e67a6fd787c4fc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CardSpaceKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237408", "to_ids": true, "type": "sha256", "uuid": "4d81f6c5-6bc9-4e24-9316-4e59c4c1bf4f", "value": "95a6f6e79c1842cea3603df3209fddc12aeb4fc77d1c58a852f877b1eaa9c4c9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235928", "to_ids": true, "type": "ssdeep", "uuid": "6df0621e-8691-4494-a345-381b0605da4a", "value": "49152:cIC3sTfKih+AeyjLnqt2bocfY3yIbw5Bo8jayrxDJ8e7:N98yr9+e7" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235928", "to_ids": false, "type": "size-in-bytes", "uuid": "2da1aab8-1efa-4d3a-9817-ca58290bcbbf", "value": "2213376" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235928", "to_ids": true, "type": "vhash", "uuid": "d1bee656-8e94-46c5-b65f-f1e4ab5199e6", "value": "126066555d75151516z1700456z14uzf" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235928", "to_ids": true, "type": "filename", "uuid": "fa47c0eb-00e6-492a-b231-783c3a4aad1b", "value": "Mets prekindle" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 01/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235928", "to_ids": false, "type": "text", "uuid": "05f95290-79ee-4973-ab74-3e4bff72681b", "value": "CardSpaceKiller EDR killer.\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win64/Bumblebee.GTB!MTB\nVT Total Detection:53/71\nFirst Submission:2025-06-28T09:10:25.000000+00:00\nLast Submission:2025-11-10T15:57:55.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239471", "uuid": "1e3cb7bd-b997-41d6-8667-5a0bd8e334f7", "Attribute": [ { "category": "Payload delivery", "comment": "CardSpaceKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239471", "to_ids": true, "type": "md5", "uuid": "2a468bae-a589-440e-b1ce-768779a2780b", "value": "3fd73115a166157e731e8b538155ab4f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CardSpaceKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237409", "to_ids": true, "type": "sha1", "uuid": "516160ad-cbe4-409d-9051-32fbad44e08f", "value": "a3bdb419703a70157f2b7bd1dc2e4c9227dd9fe8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CardSpaceKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237409", "to_ids": true, "type": "sha256", "uuid": "fb4baa53-5e7a-4a60-8996-4b2e7f8faa48", "value": "5b7b280b53ff3cf95ead4fd4a435cd28294c5fce6a924ec52e500a109deb868b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235950", "to_ids": true, "type": "ssdeep", "uuid": "a9d7d3b6-5941-4ddf-874f-74ccdd1f4a53", "value": "24576:1+oDIjWnN1AuTNPfnYRLy7TjI6wcANyvMiBBFBJmRR/B:kVWnAwOy7Zt7Bqz/B" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235950", "to_ids": false, "type": "size-in-bytes", "uuid": "24e3ca02-0411-44e6-b113-e59c20540f22", "value": "1595392" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235950", "to_ids": true, "type": "vhash", "uuid": "0c8f1cf5-d57d-4896-bbeb-490633d046e6", "value": "016066557d15551516z3b0044!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235950", "to_ids": true, "type": "filename", "uuid": "27ecff8d-dc12-4761-b47c-5ed1b8b963db", "value": "Panleucopenia paleozoology" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 26/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235950", "to_ids": false, "type": "text", "uuid": "96a57c88-d77a-4750-b8e1-5ad2e2ba0979", "value": "CardSpaceKiller EDR killer.\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Kepavll!rfn\nVT Total Detection:48/72\nFirst Submission:2025-04-11T12:05:48.000000+00:00\nLast Submission:2025-04-15T05:06:48.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775239492", "uuid": "5be9deab-0ed2-4c69-bc92-6ad76dcc6bc9", "Attribute": [ { "category": "Payload delivery", "comment": "CardSpaceKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775239492", "to_ids": true, "type": "md5", "uuid": "4078eda0-3879-417c-b78e-787d20d1c699", "value": "a2b2cacd5ab0e553d9b3d359564014dc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CardSpaceKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237411", "to_ids": true, "type": "sha1", "uuid": "f3cb80b2-8050-4894-91fb-c000ee6f4246", "value": "db8bcb8693ddf715552f85b8e2628f060070f920", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CardSpaceKiller EDR killer.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237411", "to_ids": true, "type": "sha256", "uuid": "c27862f3-88e7-41ba-8a34-fb7ec30be364", "value": "017933be6023795e944a2a373e74e2cc6885b5c9bc1554c437036250c20c3a7d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775235992", "to_ids": true, "type": "ssdeep", "uuid": "135d1cec-4940-4168-96ef-3223e3b48fda", "value": "384:0x1j35Tz+Pguu482mNDG8zNqRdSJIVE8E9VF0NyD8FKoGXRUHeMZnydxazNK/:m1jNz+Pefh88y82EJX6nWgzG" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775235992", "to_ids": false, "type": "size-in-bytes", "uuid": "6968c3c6-7ea1-445b-a10e-ec17487d9966", "value": "31680" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775235992", "to_ids": true, "type": "vhash", "uuid": "691c7388-76c0-4f89-8032-7e8179dd90c3", "value": "034066551d151e1519z27zaxz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775235992", "to_ids": true, "type": "filename", "uuid": "b098a14f-d0e7-4ba9-8c5d-10ef03ad593f", "value": "HwRwDrv.sys" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 01/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775235992", "to_ids": false, "type": "text", "uuid": "a0ed5b81-b04e-4b16-9a1d-59dedc59b4f1", "value": "CardSpaceKiller EDR killer.\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:5/71\nFirst Submission:2024-10-29T09:25:52.000000+00:00\nLast Submission:2025-12-20T03:22:59.000000+00:00" } ] } ] } }