{ "Event": { "analysis": "1", "date": "2026-04-11", "extends_uuid": "", "info": "[Threat Intel] Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger", "protected": false, "publish_timestamp": "1776175469", "published": true, "threat_level_id": "2", "timestamp": "1776175469", "uuid": "e3474aeb-5311-4c67-a6ec-02659f6cd002", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#9dc839", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1115\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#b672a4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#98f3da", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Visual Basic - T1059.005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Kimsuky\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120046", "local": false, "name": "rectifyq:sub-category=\"infra-profile\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776135611", "to_ids": false, "type": "link", "uuid": "7b0808f9-d04e-4c93-9a41-9b12042287fb", "value": "https://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776135611", "to_ids": false, "type": "text", "uuid": "8c86718f-c69c-429f-a867-82f1768d7d9a", "value": "On April 11, 2026, researchers analyzed a CHM file (api_reference.chm) tagged as Kimsuky that initiated a three-stage attack chain. The C2 server at check[.]nid-log[.]com had directory listing enabled, allowing recovery of complete source code for all payload stages: a 6,338-byte VBScript performing system reconnaissance and establishing persistence via scheduled task, a 449-byte VBScript bridge to PowerShell, and a 6,234-byte PowerShell keylogger with clipboard monitoring and timed exfiltration. The infrastructure included 79+ domains across 5 C2 IPs spanning Korean VPS providers. The server responded with \"Million OK !!!!\" signature, matching previously documented Kimsuky infrastructure while showing upgraded Apache/PHP stack. The operation targeted Korean Naver users through credential phishing and tax authority impersonation, with infrastructure linked to previously documented Kimsuky campaigns via shared DAOU Technology subnets." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776135611", "to_ids": false, "type": "text", "uuid": "2c251f97-00a7-4522-8d16-59a50d78df1b", "value": "Name: Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger\nAuthor: AlienVault\nAdversary: Kimsuky\nTags: [\"apt43\", \"korean targeting\", \"chm dropper\", \"vbscript stager\", \"naver phishing\", \"credential harvesting\", \"dprk\", \"powershell keylogger\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1113\", \"T1132.001\", \"T1056.001\", \"T1036.005\", \"T1204.002\", \"T1566.001\", \"T1115\", \"T1082\", \"T1053\", \"T1140\", \"T1112\", \"T1083\", \"T1057\", \"T1041\", \"T1059.001\", \"T1547.001\", \"T1027\", \"T1518.001\", \"T1071.001\", \"T1059.005\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1776135611", "to_ids": false, "type": "threat-actor", "uuid": "7e6936d4-731e-46ab-b553-e1ac35a46fcd", "value": "Kimsuky" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776168874", "to_ids": true, "type": "ip-dst", "uuid": "25ebdb6d-78c6-43ec-bfcc-6e260f74f00b", "value": "51.79.185.184", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776168895", "to_ids": true, "type": "ip-dst", "uuid": "cc61d220-b26f-4a63-af4e-e37f17f11a52", "value": "118.194.249.109", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776168916", "to_ids": true, "type": "ip-dst", "uuid": "afd8898f-b090-4256-bc70-da91c3aa080a", "value": "130.94.29.111", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776168938", "to_ids": true, "type": "ip-dst", "uuid": "331441ac-10d2-44a4-9758-9a0fa7b0ab3a", "value": "162.255.119.150", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776168960", "to_ids": true, "type": "ip-dst", "uuid": "68f55594-f7de-47d7-b0e3-3ab1003d6dd5", "value": "27.102.137.150", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776168981", "to_ids": true, "type": "ip-dst", "uuid": "5ae412fa-3a1b-43ba-9a47-05c03a8fd55c", "value": "27.102.137.38", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169002", "to_ids": true, "type": "ip-dst", "uuid": "07d373af-843d-478e-a76d-e0bf7d6fbfa7", "value": "27.102.138.45", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169023", "to_ids": true, "type": "ip-dst", "uuid": "5e1dff8d-6e2b-48b9-8e27-8fb8e12be84d", "value": "38.60.220.135", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169044", "to_ids": true, "type": "url", "uuid": "2195450b-38c4-4384-9863-eb4d0d66cf8c", "value": "http://check.nid-log.com/api'", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169065", "to_ids": true, "type": "url", "uuid": "13ac09cc-9527-4767-9cb3-3613731610ea", "value": "http://check.nid-log.com/api/bootservice.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169087", "to_ids": true, "type": "url", "uuid": "394b0ee5-b00e-4080-8dd0-09190c3755af", "value": "http://check.nid-log.com/api/bootservice.php?tag=", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169108", "to_ids": true, "type": "url", "uuid": "e7c81862-b4ce-4ac5-a44b-94d7e2709176", "value": "http://check.nid-log.com/api/checkservice.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169129", "to_ids": true, "type": "url", "uuid": "321efdd9-074e-4bb2-82b4-7f0f7b562429", "value": "http://check.nid-log.com/api/finalservice.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169150", "to_ids": true, "type": "url", "uuid": "a856f8a5-51a5-4010-9b85-bbc350b7f7f7", "value": "http://noreplymail.space/BitJoker/bootservice.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776135612", "to_ids": true, "type": "yara", "uuid": "171c5e33-1437-4fad-8ebe-7d4d6d1cb7c9", "value": "22885ad517585b9f0c5bb9fdd785df00e7c0cfc0" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169171", "to_ids": true, "type": "domain", "uuid": "cf45b733-c1ff-4d0a-aed1-89b421c3138b", "value": "nid-log.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169193", "to_ids": true, "type": "domain", "uuid": "ff34630b-6e5f-43c4-a5f6-d25479bff0e5", "value": "noreplymail.space", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169214", "to_ids": true, "type": "domain", "uuid": "e269ea5d-0c60-4bb2-9379-d91527c338a7", "value": "uncork.biz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169235", "to_ids": true, "type": "domain", "uuid": "06107593-35bd-4fdd-aefa-cbffbbe396c9", "value": "withheldforprivacy.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169256", "to_ids": true, "type": "hostname", "uuid": "33e05b43-5f42-4688-83dd-7a17691389a2", "value": "check.nid-log.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169278", "to_ids": true, "type": "hostname", "uuid": "9e173f59-1f4c-4070-a374-e3db71fe0fee", "value": "chk.uncork.biz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169299", "to_ids": true, "type": "hostname", "uuid": "6a86029f-99bd-41b6-a447-64a9c7a340c5", "value": "miss-tax.dns.navy", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169321", "to_ids": true, "type": "hostname", "uuid": "168f5d8e-96c1-4efd-a705-74caa92f5445", "value": "nid-htl.duckdns.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169342", "to_ids": true, "type": "hostname", "uuid": "7411fb3b-3caa-430d-a857-28508506bb9d", "value": "nid-navercwu.servecounterstrike.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169363", "to_ids": true, "type": "hostname", "uuid": "7ab858a7-f96a-40b3-8d74-1e9d31a47eab", "value": "nid-naverfxc.servecounterstrike.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169384", "to_ids": true, "type": "hostname", "uuid": "f06eb494-f6a5-42be-ae94-341662b69872", "value": "nid-naverpep.servequake.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169406", "to_ids": true, "type": "hostname", "uuid": "d86fdd61-cd6b-4dad-bd04-4129a3267c11", "value": "nid-navertca.servehalflife.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169428", "to_ids": true, "type": "hostname", "uuid": "9020adff-e5d6-4d95-93b7-e96675aef0b9", "value": "nid-tax.dns.army", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169449", "to_ids": true, "type": "hostname", "uuid": "1e5421d8-16b4-44c9-a084-3855821a131f", "value": "pay-tax.dns.navy", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169470", "to_ids": true, "type": "hostname", "uuid": "ef712fb4-0168-4670-8a80-446de5a34e5f", "value": "tax-invoice.dns.army", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776169492", "to_ids": true, "type": "hostname", "uuid": "2e0fe969-270c-4bbd-9d5b-3751529352bb", "value": "verify.efine-log.kro.kr", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776169513", "uuid": "de323b81-c3f5-4494-969a-bd7b8aad3df6", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776169513", "to_ids": true, "type": "md5", "uuid": "6cec27bb-451b-43f3-9db6-f670649e3af4", "value": "08815400eb034d0c760d031e735bd392", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776167030", "to_ids": true, "type": "sha1", "uuid": "9bb0da95-7e97-41f1-8d9f-4ae64952419f", "value": "66af61e3e376284f691d449d0042e8b2c1174278", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776167030", "to_ids": true, "type": "sha256", "uuid": "f6c49f71-42b7-4064-a3fb-e79446a52ce8", "value": "d7c09e7bf79aa9b786dcd9f870427f4a1110f702646fba9d3835215ad3649d0b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776166777", "to_ids": true, "type": "ssdeep", "uuid": "332f75f0-b778-4665-ad63-121358bdfc1e", "value": "12:UbF/JhHv26qp0w98FWaiZnfLkpAF7Axa2lDQ/xn+0s/gY+zWd:UbNJhv2HZ9aiZnfLxwDIn46Wd" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776166777", "to_ids": false, "type": "size-in-bytes", "uuid": "5fb365ef-81b4-4e1e-9364-5077586ccd4d", "value": "449" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776166777", "to_ids": true, "type": "vhash", "uuid": "1883068a-5b95-4bd7-a346-cfeea7cda48b", "value": "7a0b2dc29bb13fccf1ef1e467036267d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776166777", "to_ids": true, "type": "filename", "uuid": "8fa25202-300c-4018-a605-6bf0e41da2d0", "value": "payload_1.vbs" }, { "category": "Other", "comment": "Checked: 14/04/2026\nLast-scan\t: 14/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776166777", "to_ids": false, "type": "text", "uuid": "7fd7d903-c6b4-4bdd-a359-2f556e9f3f21", "value": "Type Description: VBA\nMicrosoft: None\nVT Total Detection:10/62\nFirst Submission:2026-04-10T18:21:06.000000+00:00\nLast Submission:2026-04-10T18:21:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776169534", "uuid": "82435f5b-ba1a-462c-ba40-42b7341c86c1", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776169534", "to_ids": true, "type": "md5", "uuid": "e57fab9b-0bf3-4325-9aa4-40254d085db8", "value": "0ac44ad9cfbc58ed76415f7bc79239f9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776167031", "to_ids": true, "type": "sha1", "uuid": "aa95c62d-6a58-4231-91d1-78e47d4ddd86", "value": "f759ccb6886234c63a66abd6102c636a46d1eba8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776167031", "to_ids": true, "type": "sha256", "uuid": "f3f03e71-9b47-47d2-82d8-f1aa12559032", "value": "1eff237dee95172363bfc0342d0389f809f753a6ec5e6848e57b3fd5482e9793", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776166799", "to_ids": true, "type": "ssdeep", "uuid": "29234ede-7065-470d-8a43-bcdf78fde491", "value": "96:9yKbXKvtydHWFnAOXgWn8XHblUkFB+JJZfP7Da3R/E17UFbMiCzw:9ya8wHx+b8rlN+fZfP7mu7WMiCz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776166799", "to_ids": false, "type": "size-in-bytes", "uuid": "03fcf462-6b4f-4161-a36a-fbab361fad44", "value": "13254" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776166799", "to_ids": true, "type": "filename", "uuid": "6c906c9e-4cd2-46bb-a9f9-18491ed80a6b", "value": "1eff237dee95172363bfc0342d0389f809f753a6ec5e6848e57b3fd5482e9793.chm" }, { "category": "Other", "comment": "Checked: 14/04/2026\nLast-scan\t: 14/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776166799", "to_ids": false, "type": "text", "uuid": "0bcf23d2-719f-445d-bb93-13257ab29da3", "value": "Type Description: Compiled HTML Help\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:29/62\nFirst Submission:2026-04-10T15:32:01.000000+00:00\nLast Submission:2026-04-11T05:05:06.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776169555", "uuid": "acd8a6c2-2a91-40d9-8e13-7f1471573f43", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776169555", "to_ids": true, "type": "md5", "uuid": "24789104-3a14-4952-b439-3f624e501e09", "value": "4599ac1bbe483c73064df1353feafd01", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776167032", "to_ids": true, "type": "sha1", "uuid": "3d5c7a3e-77f1-494b-9521-c0e8b1c3a659", "value": "a76af8176da28fdab47f9a77d50eb0e89f2b8557", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776167032", "to_ids": true, "type": "sha256", "uuid": "df8b2bfd-18a7-48d2-9ddc-70111ed97112", "value": "7047878f4fbea323148f6554afe616991eb56cc327653972c4213a9017c5e66b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776166820", "to_ids": true, "type": "ssdeep", "uuid": "f920c9f7-296c-4476-bf51-ba4984c98168", "value": "96:DobxVzPV5BdNRuyWFpz/SI34/hs/6LSmIIcAkaIOdvJjpbQ+YOyCmFJOZHgP:Dqx9bRdQzKZ/hgySmI/vEvB1QumKZAP" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776166820", "to_ids": false, "type": "size-in-bytes", "uuid": "e2b4e8b2-d29b-4a7b-83c1-a92fd7342efc", "value": "14154" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776166820", "to_ids": true, "type": "filename", "uuid": "3a143280-8bae-405f-a9cb-8dd5334c11bd", "value": "7047878f4fbea323148f6554afe616991eb56cc327653972c4213a9017c5e66b.chm" }, { "category": "Other", "comment": "Checked: 14/04/2026\nLast-scan\t: 14/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776166820", "to_ids": false, "type": "text", "uuid": "9f6a2e70-9ae0-4ad5-98da-97339f9a23df", "value": "Type Description: Compiled HTML Help\nMicrosoft: None\nVT Total Detection:29/62\nFirst Submission:2025-03-11T13:33:07.000000+00:00\nLast Submission:2026-04-05T14:59:37.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776169576", "uuid": "f46ca4cf-cd51-4244-ba96-8b1acd3a5326", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776169576", "to_ids": true, "type": "md5", "uuid": "ca093367-62fb-409f-8f22-09fda822e4f7", "value": "6d03fd0b89fe997408b9e9e3d5ead602", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776167033", "to_ids": true, "type": "sha1", "uuid": "e6740498-c685-4279-8eeb-5b3c1c63a8e0", "value": "6aa51c23f0319a6b940072274adf47a0c29f27b6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776167033", "to_ids": true, "type": "sha256", "uuid": "a59c6160-b1cf-4eca-9f69-be958acf5dd5", "value": "af50f35701916d3909f2727cdcbde1a7af47f46eb8db3996905b1c0725aa133f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776166842", "to_ids": true, "type": "ssdeep", "uuid": "a4ecb559-a52e-4ee3-9d37-d0b2c58f1a77", "value": "96:Y4KbOqIXFDPHtxBi/2CyoV8F0YQ9TPnhU5tu1oTr7ILc1GFK1ZmMVuJT:IV8ljQPTV0Q91U541egL6nCT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776166842", "to_ids": false, "type": "size-in-bytes", "uuid": "197f00c7-e598-4e52-bd4a-048e1cdf1a87", "value": "6338" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776166842", "to_ids": true, "type": "vhash", "uuid": "5ae2e206-b60f-4b8f-93a9-97d36259b895", "value": "e502ac73f0dc52bea0087c2d1b0e3c4e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776166842", "to_ids": true, "type": "filename", "uuid": "48b96775-b6cb-4e71-a6f9-77d5a2dff4d3", "value": "payload_1.vbs" }, { "category": "Other", "comment": "Checked: 14/04/2026\nLast-scan\t: 14/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776166842", "to_ids": false, "type": "text", "uuid": "06bd2b71-1df3-46a4-acea-4a5bb7898bec", "value": "Type Description: VBA\nMicrosoft: Trojan:Script/Wacatac.B!ml\nVT Total Detection:9/63\nFirst Submission:2026-04-10T18:13:35.000000+00:00\nLast Submission:2026-04-10T18:13:35.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776169597", "uuid": "0f97c85e-7544-496e-9791-130400cfd235", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776169597", "to_ids": true, "type": "md5", "uuid": "f3bed5b3-8efa-45f3-ac02-9ce1acea9db1", "value": "6f90f6b96fe3a5b79c1935211f557a08", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776167034", "to_ids": true, "type": "sha1", "uuid": "6d071a44-9eca-46f7-9f23-b1fa3ce2633d", "value": "51ab17a51cc000bbae89980082c57281c4c0b462", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776167034", "to_ids": true, "type": "sha256", "uuid": "f2a1d404-65dd-4ca6-ba5d-cc5bb7bd3404", "value": "85f8f8a3f28d2956776fbbd0365cdb78ac8dc1e6ed12818ef18caed0bb2f74c8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776166864", "to_ids": true, "type": "ssdeep", "uuid": "a14f5632-9f9c-489b-a51e-130e2532ee10", "value": "6:9cNAWdgUu54SsuN5N0HcCf36LqOIf9TQPfXgG1n+ATB:9vWdq4r8cJnfOP4G1TB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776166864", "to_ids": false, "type": "size-in-bytes", "uuid": "63d57af6-defd-405f-a995-d1d3ad560e21", "value": "253" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776166864", "to_ids": true, "type": "vhash", "uuid": "b1b0a09f-8e39-4145-b8a6-5ce6a1b3d080", "value": "2aeb71d5da6d5ea3f88875d548045866" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776166864", "to_ids": true, "type": "filename", "uuid": "4898008f-dcdb-4ab3-90f2-f5d83ff91709", "value": "Link.ini" }, { "category": "Other", "comment": "Checked: 14/04/2026\nLast-scan\t: 14/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776166864", "to_ids": false, "type": "text", "uuid": "adebb015-f8bc-493c-a6e1-00e35d25ba91", "value": "Type Description: VBA\nMicrosoft: Trojan:Script/Wacatac.B!ml\nVT Total Detection:22/62\nFirst Submission:2026-04-10T15:38:43.000000+00:00\nLast Submission:2026-04-13T12:19:48.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776169618", "uuid": "18bb2050-342e-440c-bcfe-07fa70faace8", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776169618", "to_ids": true, "type": "md5", "uuid": "91f3ebaa-959f-4245-b9a0-a6ffdb8dcbc1", "value": "0697e6530be77452c6f8da145e1040d5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776167034", "to_ids": true, "type": "sha1", "uuid": "473bab2f-17af-4117-aa4c-3fe63577bd00", "value": "65713ed54d34cc33d9575edb78308bc61bced040", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776167034", "to_ids": true, "type": "sha256", "uuid": "655f8ed3-7f13-4a72-a931-36bc3402b087", "value": "a36576a096db24a1c91327eb547dedf52e5bd4b0d4593b88d9593d377585b922", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776166886", "to_ids": true, "type": "ssdeep", "uuid": "a6b6e6c5-aadf-4a1d-86ff-5cc628c66fba", "value": "96:x9duIygUphtos5Ae0VY8tt4eLiELi/TeKNuvcKI:Bs5Ae0VY8tt7LiELi/aKEUKI" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776166886", "to_ids": false, "type": "size-in-bytes", "uuid": "1390ab6b-b205-45a9-9cf1-a2b795e5dc46", "value": "3886" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776166886", "to_ids": true, "type": "vhash", "uuid": "217baa4e-1475-49e6-9021-ca5165589549", "value": "567560213e9adbc25e0638fe35122134" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776166886", "to_ids": true, "type": "filename", "uuid": "e4ecf18a-c241-4b09-b728-76e9ceb63ec7", "value": "bootservice[1].htm" }, { "category": "Other", "comment": "Checked: 14/04/2026\nLast-scan\t: 14/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776166886", "to_ids": false, "type": "text", "uuid": "56b69116-6ea5-4fae-afc9-2638db604809", "value": "Type Description: HTML\nMicrosoft: None\nVT Total Detection:0/62\nFirst Submission:2025-03-13T10:22:57.000000+00:00\nLast Submission:2025-03-13T10:22:57.000000+00:00" } ] } ] } }