{ "type": "IPv4", "indicator": "3.0.2.3", "general": { "whois": "http://whois.domaintools.com/3.0.2.3", "reputation": 0, "indicator": "3.0.2.3", "type": "IPv4", "type_title": "IPv4", "base_indicator": { "id": 4314698970, "indicator": "3.0.2.3", "type": "IPv4", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69e1568cac2c96dd496dba29", "name": "AHS/Cov.Health/GoA/UAlberta -> Event Viewer Custom View - Typical PC - 04.16.26.zip", "description": "4dfde25f15d828029e492ccdffea343500598c3d0aac896792d97b62ce2fc440\nEvent Viewer Custom View - Typical PC - 04.16.26.zip\nAnother one bites the dust. I don't think a zipped log file from event viewer should be doing all of this??", "modified": "2026-05-16T21:16:21.456000", "created": "2026-04-16T21:37:16.194000", "tags": [ "event viewer", "custom view", "traceix", "sha-256", "hash search", "malware classification", "encrypted training data", "thrt", "solana", "pcef", "upload", "copy", "capability att", "ck mbc", "exif", "generate", "results", "sha256 drop", "traceix enter", "mint", "linkid787651", "linkid2097191", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "wnp transport", "data connection", "layer", "none", "wsse", "layer tls", "class", "service", "path", "target", "unknown", "powershell", "local", "error", "silent", "body", "root", "agent", "open", "suspicious", "code", "level", "date", "stream", "hybrid", "crypto", "push", "dcom", "false", "install", "null", "guard", "arch", "close", "click", "april", "pass", "dword", "format", "bypass", "autodetect", "strings", "malicious", "contact", "static analyzer", "emulation", "analyzer", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "platform", "domain", "varist hybrid", "analyzer resu" ], "references": [ "https://traceix.com/search?sha256=4dfde25f15d828029e492ccdffea343500598c3d0aac896792d97b62ce2fc440&wait=1&tab=av", "http://hybrid-analysis.com/sample/6f1886652984a97cd01fa8a0c2a5a029e90986d51b74c4b61cf81f23e1a457ae/69e146d2c0ff5214930f108b", "https://app.threat.zone/submission/2630d729-3f2b-41cc-bfad-0fa3bc3cefa2/overview", "https://www.filescan.io/uploads/69e1421e5ea31bc68a320574/reports/c43ffdc1-bc0f-40d7-8abc-8e515eff74c5/ioc" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1006", "name": "Direct Volume Access", "display_name": "T1006 - Direct Volume Access" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Education", "Technology", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 44, "URL": 389, "domain": 41, "hostname": 161, "FileHash-MD5": 64, "FileHash-SHA1": 99, "email": 5 }, "indicator_count": 803, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69e1884160553f00eba58d01", "name": "AHS/Cov.Health/GoA/UAlberta -> clone disable_duck", "description": "", "modified": "2026-05-16T21:16:21.456000", "created": "2026-04-17T01:09:21.720000", "tags": [ "event viewer", "custom view", "traceix", "sha-256", "hash search", "malware classification", "encrypted training data", "thrt", "solana", "pcef", "upload", "copy", "capability att", "ck mbc", "exif", "generate", "results", "sha256 drop", "traceix enter", "mint", "linkid787651", "linkid2097191", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "wnp transport", "data connection", "layer", "none", "wsse", "layer tls", "class", "service", "path", "target", "unknown", "powershell", "local", "error", "silent", "body", "root", "agent", "open", "suspicious", "code", "level", "date", "stream", "hybrid", "crypto", "push", "dcom", "false", "install", "null", "guard", "arch", "close", "click", "april", "pass", "dword", "format", "bypass", "autodetect", "strings", "malicious", "contact", "static analyzer", "emulation", "analyzer", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "platform", "domain", "varist hybrid", "analyzer resu" ], "references": [ "https://traceix.com/search?sha256=4dfde25f15d828029e492ccdffea343500598c3d0aac896792d97b62ce2fc440&wait=1&tab=av", "http://hybrid-analysis.com/sample/6f1886652984a97cd01fa8a0c2a5a029e90986d51b74c4b61cf81f23e1a457ae/69e146d2c0ff5214930f108b", "https://app.threat.zone/submission/2630d729-3f2b-41cc-bfad-0fa3bc3cefa2/overview", "https://www.filescan.io/uploads/69e1421e5ea31bc68a320574/reports/c43ffdc1-bc0f-40d7-8abc-8e515eff74c5/ioc" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1006", "name": "Direct Volume Access", "display_name": "T1006 - Direct Volume Access" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Education", "Technology", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "69e1568cac2c96dd496dba29", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 44, "URL": 389, "domain": 41, "hostname": 161, "FileHash-MD5": 64, "FileHash-SHA1": 99, "email": 5 }, "indicator_count": 803, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 } ], "references": [ "https://app.threat.zone/submission/2630d729-3f2b-41cc-bfad-0fa3bc3cefa2/overview", "http://hybrid-analysis.com/sample/6f1886652984a97cd01fa8a0c2a5a029e90986d51b74c4b61cf81f23e1a457ae/69e146d2c0ff5214930f108b", "https://www.filescan.io/uploads/69e1421e5ea31bc68a320574/reports/c43ffdc1-bc0f-40d7-8abc-8e515eff74c5/ioc", "https://traceix.com/search?sha256=4dfde25f15d828029e492ccdffea343500598c3d0aac896792d97b62ce2fc440&wait=1&tab=av" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [ "Healthcare", "Education", "Technology", "Government" ] } } }, "false_positive": [], "validation": [ { "source": "cloud", "message": "In cloud provider range: provider=AWS", "name": "Cloud Provider IP range" } ], "asn": "AS16509 amazon.com inc", "city_data": true, "city": "Singapore", "region": null, "continent_code": "AS", "country_code3": "SGP", "country_code2": "SG", "subdivision": null, "latitude": 1.2929, "postal_code": "18", "longitude": 103.8547, "accuracy_radius": 1000, "country_code": "SG", "country_name": "Singapore", "dma_code": 0, "charset": 0, "area_code": 0, "flag_url": "/assets/images/flags/sg.png", "flag_title": "Singapore", "sections": [ "general", "geo", "reputation", "url_list", "passive_dns", "malware", "nids_list", "http_scans" ] }, "geo": { "asn": "AS16509 amazon.com inc", "city_data": true, "city": "Singapore", "region": null, "continent_code": "AS", "country_code3": "SGP", "country_code2": "SG", "subdivision": null, "latitude": 1.2929, "postal_code": "18", "longitude": 103.8547, "accuracy_radius": 1000, "country_code": "SG", "country_name": "Singapore", "dma_code": 0, "charset": 0, "area_code": 0, "flag_url": "/assets/images/flags/sg.png", "flag_title": "Singapore" }, "geo_ipapicom": { "country": "Singapore", "country_code": "SG", "region": "Central Singapore", "city": "Singapore", "zip": "048582", "latitude": 1.28009, "longitude": 103.851, "timezone": "Asia/Singapore", "isp": "Amazon Technologies Inc.", "org": "AWS EC2 (ap-southeast-1)", "asn": "AS16509 Amazon.com, Inc.", "asn_name": "AMAZON-02", "is_proxy": false, "is_hosting": true, "source": "ip-api.com" }, "pulse_count": 2, "pulses": [ { "id": "69e1568cac2c96dd496dba29", "name": "AHS/Cov.Health/GoA/UAlberta -> Event Viewer Custom View - Typical PC - 04.16.26.zip", "description": "4dfde25f15d828029e492ccdffea343500598c3d0aac896792d97b62ce2fc440\nEvent Viewer Custom View - Typical PC - 04.16.26.zip\nAnother one bites the dust. I don't think a zipped log file from event viewer should be doing all of this??", "modified": "2026-05-16T21:16:21.456000", "created": "2026-04-16T21:37:16.194000", "tags": [ "event viewer", "custom view", "traceix", "sha-256", "hash search", "malware classification", "encrypted training data", "thrt", "solana", "pcef", "upload", "copy", "capability att", "ck mbc", "exif", "generate", "results", "sha256 drop", "traceix enter", "mint", "linkid787651", "linkid2097191", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "wnp transport", "data connection", "layer", "none", "wsse", "layer tls", "class", "service", "path", "target", "unknown", "powershell", "local", "error", "silent", "body", "root", "agent", "open", "suspicious", "code", "level", "date", "stream", "hybrid", "crypto", "push", "dcom", "false", "install", "null", "guard", "arch", "close", "click", "april", "pass", "dword", "format", "bypass", "autodetect", "strings", "malicious", "contact", "static analyzer", "emulation", "analyzer", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "platform", "domain", "varist hybrid", "analyzer resu" ], "references": [ "https://traceix.com/search?sha256=4dfde25f15d828029e492ccdffea343500598c3d0aac896792d97b62ce2fc440&wait=1&tab=av", "http://hybrid-analysis.com/sample/6f1886652984a97cd01fa8a0c2a5a029e90986d51b74c4b61cf81f23e1a457ae/69e146d2c0ff5214930f108b", "https://app.threat.zone/submission/2630d729-3f2b-41cc-bfad-0fa3bc3cefa2/overview", "https://www.filescan.io/uploads/69e1421e5ea31bc68a320574/reports/c43ffdc1-bc0f-40d7-8abc-8e515eff74c5/ioc" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1006", "name": "Direct Volume Access", "display_name": "T1006 - Direct Volume Access" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Education", "Technology", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 44, "URL": 389, "domain": 41, "hostname": 161, "FileHash-MD5": 64, "FileHash-SHA1": 99, "email": 5 }, "indicator_count": 803, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "69e1884160553f00eba58d01", "name": "AHS/Cov.Health/GoA/UAlberta -> clone disable_duck", "description": "", "modified": "2026-05-16T21:16:21.456000", "created": "2026-04-17T01:09:21.720000", "tags": [ "event viewer", "custom view", "traceix", "sha-256", "hash search", "malware classification", "encrypted training data", "thrt", "solana", "pcef", "upload", "copy", "capability att", "ck mbc", "exif", "generate", "results", "sha256 drop", "traceix enter", "mint", "linkid787651", "linkid2097191", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "wnp transport", "data connection", "layer", "none", "wsse", "layer tls", "class", "service", "path", "target", "unknown", "powershell", "local", "error", "silent", "body", "root", "agent", "open", "suspicious", "code", "level", "date", "stream", "hybrid", "crypto", "push", "dcom", "false", "install", "null", "guard", "arch", "close", "click", "april", "pass", "dword", "format", "bypass", "autodetect", "strings", "malicious", "contact", "static analyzer", "emulation", "analyzer", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "platform", "domain", "varist hybrid", "analyzer resu" ], "references": [ "https://traceix.com/search?sha256=4dfde25f15d828029e492ccdffea343500598c3d0aac896792d97b62ce2fc440&wait=1&tab=av", "http://hybrid-analysis.com/sample/6f1886652984a97cd01fa8a0c2a5a029e90986d51b74c4b61cf81f23e1a457ae/69e146d2c0ff5214930f108b", "https://app.threat.zone/submission/2630d729-3f2b-41cc-bfad-0fa3bc3cefa2/overview", "https://www.filescan.io/uploads/69e1421e5ea31bc68a320574/reports/c43ffdc1-bc0f-40d7-8abc-8e515eff74c5/ioc" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1006", "name": "Direct Volume Access", "display_name": "T1006 - Direct Volume Access" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Education", "Technology", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "69e1568cac2c96dd496dba29", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 44, "URL": 389, "domain": 41, "hostname": 161, "FileHash-MD5": 64, "FileHash-SHA1": 99, "email": 5 }, "indicator_count": 803, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "3.0.2.3", "type": "IPv4" }, "abuseipdb": { "error": "AbuseIPDB daily limit reached (1,000/day).", "indicator": "3.0.2.3" }, "urlhaus": { "indicator": "3.0.2.3", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780250762.1742566 }